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The Future of Tech 
Conferences Is Tech 

Conferences are not keeping up with 
their attendees in the use of technology 

I was able to attend a couple of tech conferences last fall. The first 
was the revived Microsoft Exchange Conference (MEC) in Sep¬ 
tember, which was put on by Microsoft to celebrate the launch 
of Exchange Server 2013 . The second show was Microsoft Exchange 
Connections, part of the larger Windows Connections event, which 
is collocated with DevConnections, giving IT pros and developers a 
full slate of sessions on a range of topics including SharePoint, SQL 
Server, mobile development, cloud computing, and more. 

Although these two conferences were different in focus, each being 
successful in its own ways, the back-to-back experiences highlighted 
for me a shortcoming of conferences these days, particularly tech 
conferences. The conferences themselves aren’t keeping up with their 
attendees in the use of technology. Conference organizers need to get 
on the ball and take advantage of technology to give attendees a bet¬ 
ter conference experience. 

The Wi-Fi Problem and the Multitude 
of Connected Devices 

One of the biggest problems, and one that I’ve seen or heard about at 
just about every major conference in the past couple of years, has to 
be the failure of the conference Wi-Fi. If you’ve been to conferences 
recently, you know what I’m talking about: You sit down at the open¬ 
ing keynote, ready to log in to the conference Wi-Fi network and fire 
up Twitter so you can live blog, or maybe just prepare to catch up on 
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some email during the boring bits. But you find you’re unable to get 
on the network at all because it’s already congested. Or you get on, 
but it’s so slow as to be useless, or you get booted off. 

I’ve spoken with conference speakers who have mentioned how 
disconcerting it can be to look out at an audience and see all the 
faces turned down toward their individual screens rather than up at 
the projected presentation, as if no one were paying attention. But in 
fact, the new reality for conference attendees in the tech space is that 
we’re reliant on our host of connected devices; rather than not paying 
attention, we’re actually processing multiple streams of information: 
the live keynote from the presenter on stage and the immediate com¬ 
mentary on the keynote from our colleagues and peers flowing across 
our screens. Some IT pros might be on call and troubleshooting prob¬ 
lems back at their offices at the same time as well. 

However, if you’re left struggling for a connection, it’s hard to pay 
attention to anything but the frustrating fight for a signal. At the recent 
Microsoft SharePoint Conference , Windows IT Pro SharePoint editor 
Caroline Marwitz reported being unable to connect to either of two 
conference-provided Wi-Fi networks, not to mention the dedicated 
press network. She also noticed that “available” networks showed 
many attendees were using their own mobile devices as hot spots for 
other devices. This method is a useful solution for some people. But 
as long as the mobile carriers hold the hot spot feature hostage to 
additional fees, a better solution would be for conference organizers 
to recognize the demands their attendees place on the network and 
have sufficient bandwidth available from the start. 

While on the topic of the plethora of devices techies tend to carry, 
here’s another tip for conference organizers: Provide power outlets 
in session rooms and charging stations around the conference halls. 
I’ve seen this idea in limited practice. For instance, at the recent Con¬ 
nections conference, there was at least one session room set up with 
power strips on the tables on one side of the room, and perhaps that’s 
sufficient. If you’ve just come from a keynote and run your laptop 


If you've taken the 
time before the 
conference to map 
out a schedule, you 
really would hope 
to have it available 
on the go when 
you hit the ground 
at the show. 
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battery down, sitting for an hour or so plugged in while attending a 
session can put you back at full power. 

Or how about putting a charging station in the exhibit hall? Give 
the vendors a chance to pitch their products to a captive crowd wait¬ 
ing for their red bars to turn green. This strategy would help alleviate 
all the people sitting on the floor in the hallway of the conference area 
between sessions wherever they can find an outlet. 

The Presentations 

When I think of the presentations and sessions themselves, I have to 
wonder if there’s a better, more tech-oriented method of presenting 
material than the PowerPoint slideshows that have become ubiqui¬ 
tous—although I confess I don’t know what that solution might be. 
PowerPoint can be a useful tool, particularly coupled with live demos. 
But I’m sure we’ve all been subject to the sins of PowerPoint excess 
and overload that simply cause us to tune out the presenter’s message. 

Presenters need to design their PowerPoint presentations for projec¬ 
tion to a large audience on a big screen, with less text and large enough 
text that is legible at the back of the room. Almost every conference 
offers the speakers’ presentations for download after the fact; why not 
make them available at the moment? Give attendees the chance to take 
notes right on the presentation on their laptop or tablet, rather than 
taking smartphone pics of the screen or trying to remember what the 
speaker meant when they look at the slide deck again later. 

The Mobile App 

Another thing I think is essential for conferences these days is to have 
a good mobile app, and it should be available for free on any major 
mobile platform. (At TechEd 2012, Microsoft provided a conference 
mobile app, but only for Windows Phone. Seriously, Microsoft?) At a 
minimum, the app should let attendees quickly and easily pull up the 
conference schedule and preferably find sessions by multiple meth¬ 
ods—current time slot, speaker, topic, and so forth. 
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In addition, if the conference mobile app could include calendar¬ 
ing and scheduling, so much the better. Recent Microsoft conferences 
such as MEC and TechEd have provided a web interface for schedul¬ 
ing; but there was no integration with a mobile app. However, Win¬ 
dows IT Pro technical director Sean Deuby reported that the Gartner 
Identity & Access Management Summit has a mobile app with just 
that sort of integration with their online agenda-builder. If you’ve 
taken the time before the conference to map out a schedule, you 
really would hope to have it available on the go when you hit the 
ground at the show. Kudos to Gartner for providing this feature. 

A mobile app should also address the social aspects of conference 
attendance. A built-in Twitter stream that’s tuned to any conference- 
appropriate hash tags is a good start. Beyond that, there might be 
additional methods of connecting attendees through online profiles, 
chat rooms on specific topics, or message boards for in-person meet¬ 
ups. Conference exhibitors could be given the opportunity to sponsor 
these areas of the app. 


Conference 
organizers need to 
get on the ball and 
take advantage of 
technology to give 
attendees a better 
conference 
experience. 


The Future 

In coming years, the tech conferences that are going to be success¬ 
ful, that are going to encourage repeat visitors, are those that can 
effectively implement new ways of integrating technology with the 
conference to give attendees the best possible experience. I’ve shared 
my thoughts about what works, what doesn’t, and some promising 
directions conference organizers might explore. I’m curious to hear 
what experiences you have had and your suggestions to improve the 
overall conference experience through the use of better technology. 
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L ast June, Microsoft communicated a strategy shift for its Windows 
Server business, revealing what it calls the Cloud OS, or, less 
frequently, the cloud operating system for infrastructure. Many 
were confused by this revelation, which seems to imply some future 
product or service. But the Cloud OS is actually a vision of the future, 
a destination or goal that includes other products and services. 

Part of a Broader Movement 

Microsoft’s Cloud OS vision makes more sense, perhaps, within the 
broader context of the sea change that’s gripping both the software 
giant and the entire technology industry. Core products such as 
Windows and Office are now being delivered and updated online as 
services, and the company’s transition from its traditional role as a 
supplier of on-premises software solutions to a devices and services 
firm has been shockingly fast and efficient. 

Collectively, we’ve been somewhat obsessed by Windows 8 and its 
other new consumer- and client-oriented technologies this year. And 
in being so obsessed, we sometimes forget that this release is just 
the Windows client implementation of a broader and more important 
trend. Across Microsoft, and across our industry, traditional software 
products and on-premises solutions are being replaced with ever- 
increasing speed by online services. 

Consider Windows 8 and Office 2013, two of the more high-profile 
Microsoft releases this year. Both are emblematic of where we are in 
this transition, and both can be deployed in old-fashioned and tradi¬ 
tional ways, including via the purchase of shrink-wrapped boxes that 
hold optical media. But both can also be delivered electronically, 
as services. Windows users today can upgrade inexpensively and 
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easily to Windows 8 via a web-based installer that includes more 
functionality than the more expensive retail upgrade package. And 
Office 2013 is being delivered over the web through Office 365, with 
lenient new licensing rules that let users install the software on up 
to five PCs and devices. 

Both Windows 8 and Office 2013—and other products such as 
Visual Studio 2012—will be updated on a rolling basis, exactly as are 
online services such as Office 365 and Windows Intune, instead of 
once every few years or so as was the norm. Yes, you will still run this 
software on some device, locally. But the way they’re deployed and 
updated on those devices has changed dramatically. 

This trend toward services extends to our data as well. After years 
of ever-escalating hard drive sizes, modern PCs and devices come 
with SSD or other forms of solid state storage that offer far less 
local capacity. Looking at just portable computers, after hard drive 
sizes hit the 500GB limit, we switched to much lower-capacity SSD 
storage, with the norm being 128GB for a few years there. Today, 
Windows 8 and Windows RT devices such as Microsoft Surface ship 
with just 32GB or 64GB of flash storage. The reason? Our data is 
stored in online services and is synced to the device or accessed 
when online. 

Some will fight back against these trends, and certainly some areas 
of the world are ill-served with expensive, metered, and low-quality 
broadband connections. But the combination of online services and 
simpler devices is a tsunami that can’t be stopped. It’s happening. 

Enter Cloud OS 

On the server side, Microsoft today offers traditional, on-premises 
Windows Server products and Windows Azure, with its cloud-based 
Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) 
capabilities. That Windows Azure was influenced by and based on 
Windows Server is well understood. But Azure also evolved and 
matured in a world that’s starkly different from that of on-premises 
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servers, one where downtime isn’t just frowned upon but is, in fact, 
not allowed. And as you’ll see, the evolution of Azure has, for the 
first time in Windows Server 2012 , made an impact on Microsoft’s 
on-premises solutions as well. 

For the moment, however, we’re in the midst of transition. Transi¬ 
tions don’t happen overnight. And they certainly don’t happen by 
cutting off old ways of doing things and forcing customers to embrace 
change. This is even more pertinent to the server market, and to how 
businesses operate in general, than it is with consumer products. 

Although Microsoft’s move to services-based offerings is exciting 
on some levels, and forward-leaning, the firm’s biggest strength dur¬ 
ing this transition, I think, is that it hasn’t abandoned customers’ 
continued needs for traditionally delivered software. That is, in addi¬ 
tion to services, Microsoft has continued to invest in more traditional 
server products—Windows Server, System Center, SQL Server, and 
Exchange Server. And it has engineered these products to work in 
a hybrid mode where they can interact, often seamlessly, with their 
services-based brethren. This, folks, is transition done right. 

The goal for Microsoft is what it calls Cloud OS. This is an unfortu¬ 
nate name in some ways because Microsoft has no product or service 
coming called Cloud OS. But the point behind Cloud OS, as I under¬ 
stand it, is that it’s a rallying cry for the industry and an indication 
that Microsoft intends to fully embrace that transition to a services 
theme and apply it to the server world. 

In the initial communication about Cloud OS last June, Microsoft 
Server and Tools president Satya Nadella noted that the unit of hard¬ 
ware abstraction that a server OS manages had reached the data¬ 
center level. That is, the server OS—which we might fairly consider 
to be both Windows Server and System Center combined in this sce¬ 
nario—doesn’t manage a single server: It manages a set of servers. 

This has physical ramifications—data center versus server—but 
also management ramifications. And if you’re familiar with Windows 
Server 2012, you understand that one of the core features of this 
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release is the real-world embodiment of this philosophy. That is, it 
can be used to simultaneously manage multiple servers at one time. 

It’s fair to say that future Windows Server (and System Center) 
updates will expand on this functionality. And although an OS will 
most likely always be installed locally on individual servers, the hive 
intelligence of that OS will now always expand beyond that single 
system as well. This is a very special kind of scale. It makes Windows 
Server the “cornerstone” of Microsoft’s Cloud OS vision. 

I spoke with Microsoft Distinguished Engineer Jeffrey Snover at 
BUILD about Cloud OS. He told me that Microsoft’s understanding 
of where this would lead was like drawing with watercolor, but that 
over time it would become a more concise engineering blueprint. 
“The Cloud OS shifts the focus forever,” he said. “It’s not a single 
server anymore. It’s a data-center mindset now. ” 

He compared this work to the early work on Windows NT, where 
Microsoft created a hardware abstraction layer, or HAL, that enabled 
the same OS to run on incompatible platforms such as Intel x86 
and MIPS. “The HAL was the unsung hero of the x86 ecosystem,” 
he said. “And now we’re doing the same thing for the data center, 
a DHAL, if you will.” (Microsoft’s DHAL work rests on standards- 
based management technologies, however, which is certainly not the 
approach the company would have taken a few years ago.) 

Bill Hilf, general manager of Azure, told me that customers want 
homogeneous, repeatable infrastructure. “Our unit of deployment is a 
cluster, which is 1,000 servers in one unit,” he said. “A fabric control¬ 
ler orchestrates the servers together. If you’re thinking about single 
servers, something is wrong.” 

Hilf noted that Microsoft’s experience with Azure has led to a “vir¬ 
tuous cycle”—that is, a feedback loop that goes in both directions, 
with a favorable result—in this case, where improvements in Azure 
were pushed back to on-premises products such as Windows Server 
2012 and System Center 2012. “We know how to patch tens of thou¬ 
sands of servers without the service going down,” he said. “We call 
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this cluster-aware patching, where you automate the patching of all 
the hosts. When you bring the concepts from large-scale public cloud 
to your server products, it makes it real and tangible for customers. ” 

Virtuous Cycle: From Azure Back to Windows Server 2012 

Intrigued by this style of product development, I spoke with Mike 
Schutz, general manager for Microsoft’s Server and Cloud Division, 
who provided some insights into the virtuous cycle. Product devel¬ 
opment, he said, was an interesting problem. Looking back over a 
decade of Windows Server releases, Microsoft always conferred with 
customers and partners, asking them what changes and features 
they’d like to see in a coming version. But often customers don’t actu¬ 
ally know what they’re looking for. “How do you build a bike when 
you’ve never ridden one?” he asked. “Our engineering team under¬ 
stands what it takes to run a large-scale public cloud, and that first¬ 
hand knowledge—and the pain, really—took us to a game-changing 
destination in Windows Server 2012.” 

Schutz mentioned the cluster-aware patching concept and noted 
that most Microsoft customers aren’t really big enough to take 
advantage of such functionality. But that doesn’t mean the concept 
isn’t valid, and customers can take advantage of similar features in 
Windows Server at a smaller level. So the capabilities are there to 
patch smaller entities, such as nodes, while ensuring that the service 
you’re presenting internally or to customers stays online, as it would 
with an online service. 

Automation is another example. It’s probably not lost on you that 
Microsoft is heavily pushing Windows PowerShell-based automa¬ 
tion capabilities in Windows Server 2012, especially. “Ubiquitous 
automation is a core tenet,” Schutz told me. “We want to be able 
to automate everything. With PowerShell, administrators, partners— 
anyone—can layer on the core capabilities with their own tools. It’s a 
big deal.” Then there’s networking. In the hosted services world, data 
centers and servers are hosting multiple customers, so multi-tenancy 
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is a requirement. Most enterprises hear “shared resources” and lose 
interest, but as Schutz noted, multi-tenancy makes sense for this mar¬ 
ket as well. “Talk to them about mergers and acquisitions, bring in a 
new company that has a different network infrastructure,” he said. 
“Do you want that on the shared infrastructure? Or what about HR 
and finance, which are basically different businesses? You need a 
consistent shared infrastructure. ” 

Windows Server 2012 introduces a concept called software-defined 
networking in which you can have shared but isolated network 
infrastructure, where the logical networks are abstracted from the 
underlying physical network. “This is the single biggest data-center 
transformation we’ve seen,” Schutz said. “We’ve done it with Azure, 
and we’re doing it with Server 2012.” 

I also liked Schutz’s definition of cloud computing as services plus 
management plus automation, a definition that mirrors a discussion 
I had a few years ago with Server principal group program manager 
Jeff Woolsey. “The message is simple: You just can’t think a server at 
a time anymore,” he said. “You’ll die if you do. Instead, think about 
the whole data center as the computer, or what we call a unit of com¬ 
pute. It’s a larger-scale construct, essentially a container.” 

The future of this stuff, he said, is smarter software that works 
on standardized hardware, software that can reroute automatically 
around failures and keep services running, creating seamless uptime 
for the consumers of those services. Some of this is quite evolution¬ 
ary, where the resiliency of the system is in the software layer instead 
of in the hardware layer. 

“The SMB protocol is now resilient to hardware failure, so apps 
don’t need to be,” he said. “We don’t need to build really smart apps 
anymore. The OS knows what to do.” ■ 

InstantDoc ID 144892 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / January 2013 15 



Windows Power Tools 


r 



Mark 

Minasi 

is a senior contributing editor 
for Windows IT Pro, an MCSE, 
and the author of 30 books, 
including Mastering Windows 
Server2008 R2( Sybex). He 
writes and speaks around the 
world about Windows 
networking. 


Email 

Twitter 

Website 



16 Windows IT Pro 


Getting the Real Power 
from PowerShell 

Assemble your first 
Active Directory one-liner 

F or the past few months. I’ve shown you the first (and hardest) 
part of PowerShell Active Directory (AD) one-liners: the query . 

As I’ve said before, you can see the real power of PowerShell 
in AD by combining a cmdlet that collects all the accounts that meet 
some criterion (e.g., everyone who hasn’t logged on in 120 days, 
everyone in the Facilities Management OU, everyone whose manager 
is Sam Jones)—aka the query—with another cmdlet that does some¬ 
thing to those accounts (e.g., disables them, forces them to change 
their password at next logon, changes their manager to Darla Seward). 
Another way I like to think of these “AD PowerShell duets” is a com¬ 
bination of the filter (find the folks in question) and the hammer (do 
something with them). 

To find people who fall into a particular category, we’ve examined 
get-aduser (which does everything but is complex), search-adacconnt 
(which is limited to finding just a few things but is well tuned and 
offers simpler syntax for those needs), and get-adgroupmember (which 
reveals group members). This month, it’s time to get some work done— 
and begin meeting some new cmdlets to get that work done. 

To that end, meet our first hammer: disable-adaccount. To use it, 
you just type the command, followed by a distinguished name (DN), 
an account GUID or SID, or a samaccountname. To disable an account 
with a logon name of I van Vasily evich4, you would type 

disable-account -identity IvanVasilyevich4 
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This looks like PowerShell cmdlets you’ve met before—same verbish- 
noun structure. You probably also won’t be surprised to learn that 
disable-account accepts -identity as a positional parameter in the first 
position, which means that you can type 

disable-account IvanVasi1yevich4 

and get the same result. But would you ever do that? Disable-account 
involves an awful lot of typing, even if you’re using PowerShell’s tab- 
completion functionality. (And may the repetitive-stress-injury gods 
have mercy on your wrists if you try tab completion while in \System32, 
the folder that PowerShell likes to start in if you’re running elevated.) 

You could, of course, give it a shorter name with set-alias, as in 

set-alias disable-adaccount dace 

which would let you henceforth just type 

dace IvanVasi1yevich4 

But you’d have to put that set-alias command in your profile, and 
you’d be typing commands that no one else understood. Note that 
there’s nothing wrong with performing one-off AD administration 
with PowerShell, particularly if you’re a fast typist, you’re deft with 
the tab key, and you keep a PowerShell command prompt window 
open at all times. But the real power is, again, not in PowerShell 
“solos” but in duets, as in this one: 

search-adaccount -usersonly -accountinactive -timespan "120" | 
disable-adaccount 

It looks ugly, but when you break it up, it gets easier. First, there’s the 
piece on the left: 
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search-adaccount -usersonly -account!nactive -timespan "120" 

If you’ve been reading these columns for the past few months, that 
should look familiar. It’s the command that finds all the users who 
haven’t logged on in 120 days. You’ve known about these truants for 
months . . . you just haven’t done anything with that information, 
short of making note of it. 

Second, there’s the pipeline character (|). If you’ve ever messed 
with DOS batch files or with UNIX command-line administration, you 
might recognize it. It’s how PowerShell takes the output of one com¬ 
mand (the list of people who haven’t logged on in four months) and 
feeds it as input to another command—in this case, the command to 
disable their user accounts: 

disable-adaccount 

Thus, this pair of cmdlets finds those users who haven’t logged on in 
120 days and disables their accounts. 

This example, I think, finally offers some payoff for all our Power- 
Shell studies. Could you do this with the GUI? Not easily. You’d have 
to craft some kind of bizarre LDAP query, run it, hit Ctrl + A to select 
the results, and—well, you get the idea. Yes, the command is a bit 
long, but do what I do: Use one of those yellow notes in Outlook to 
store useful PowerShell one-liners, or use one of those new “snip¬ 
pets” in PowerShell 3.0. (Download Windows Management Frame¬ 
work 3.0—it needs .NET 4.0—and you get PowerShell 3.0. I strongly 
recommend it.) Or, better yet, take that command, package it up as 
a .psl file as I demonstrated last month in “Automated PowerShell 
Reports Delivered to Your Inbox ,” and make a task that runs auto¬ 
matically every week or so. 

I’ve just started with one-liners. Join me next month for another 
hammer and—yes—another one-liner! ■ 
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Windows 8 Keyboard 
and Mouse Survival Guide 

Tips to ease the transition to Windows 8 


S o you make the plunge into Windows 8 and before you know it, 
you’ve been thrown from the frying pan into the fire. Designed 
to accommodate traditional keyboard and mouse interfaces as 
well as newer pure touch interfaces such as tablets, Windows 8 is 
very different from any of the preceding versions of the Windows 
desktop OS. Finding your way around Windows 8 with a touch inter¬ 
face is fairly intuitive. However, it can be a challenge with the mouse 
and keyboard. Plus, you can’t just spend your time struggling to find 
stuff—you need to be productive right away. In this column. I’ll give 
you the top 10 tips you’ll need to survive the move to Windows 8. 

(T) Find the Corners 

You might question exactly how intuitive invisible hot spots in the 
corners of the screen are, but knowing about them is vital to getting 
around in Windows 8. On the Start screen, the most important hot 
spot is in the upper right corner and clicking it displays the Charms 
menu. The lower right hot spot accesses the Start screen, and the 
upper left hot spot displays the desktop. On the desktop screen, a hot 
spot in the lower left switches you to the Start menu. Alternatively, the 
Win key quickly toggles between the Start screen and the desktop. 
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© UseWin+X 

This shortcut is the catch-all key combination where you’ll find every¬ 
thing important that doesn’t fit on the new Start screen. Use Win + X 
to launch a command prompt or an administrative command prompt. 
Other menu options include Programs and Features, Power Options, 
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Windows 8 keyboard 
and mouse 
survival tips 



Device Manager, Disk Manager, Computer Management, Control 
Panel, and File Explorer. Everything launched from the Win + X key 
combination runs on the desktop. 

© Use the Other Shortcut Keys 

Perhaps somewhat ironically for a graphical OS, Windows 8 relies on 
many shortcut key combinations. You just learned about Win + X, the 
most important shortcut key. Some other useful keystroke combina¬ 
tions include: Win + C opens the Charms bar, Win + I (that’s i) opens 
the Settings charm. Win + K opens the Connect charm. Win + H opens 
the Share charm, Win + Q opens the Search pane. Win + Tab cycles 
through running apps, and Win + Z opens the app bar. 

© Use Search 

Search is now an essential way to start programs from the Start menu. 
The Start menu is flat and doesn’t display all the programs on the 
system. However, you can launch programs using Search from the 
Start screen just by typing the program name. You’ll see a list of 
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results on the left side of the Start screen, and you can run the desired 
program by clicking its name. 

( 5 ) Customize the Start Screen 

Unlike the old Start menu, the Windows 8 Start screen isn’t static. It 
can automatically display the status of different apps continually 
(which I honestly find annoying, but it could potentially be useful if 
there were something that I wanted to get automatic updates about). 
When you install programs, their tiles are added automatically to the 
Start screen. To add your own tiles to the Start screen, press Win + Z, 
select All Apps, then right-click the application you want to add. You 
can change the Desktop theme by using Settings, Personalize, Start 
screen. You can pin programs to the taskbar by right-clicking the 
desired program. 

( 6 ) Close Apps 

Windows 8 apps don’t always work like you expect. One prominent 
example is closing apps. While it’s easy to start an app just by click¬ 
ing its tile on the Start screen, once the app is opened you’ll quickly 
see there are no close or minimize buttons in the upper right corner 
like in a Windows desktop program. To close an app, move the 
mouse pointer to the top of the screen until it becomes a hand icon, 
then left click, hold, and drag down. The app will minimize, then 
you can drag it off the bottom of screen. Alternatively, you can press 
Alt + F4. 

( 7 ) Enable Administrative Tools 

If you’re a Windows IT Pro reader, there’s no doubt that you’ll want 
to use the Windows 8 Administrative Tools. To enable Administrative 
Tools, open Settings either using the upper right corner hot spot or by 
pressing Win +1 (i). Next, select Tiles and move the Show administra¬ 
tive tools slider to the right. The Start screen will be populated with 
the familiar administrative tools you know and love. 
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(?) Make RDP Windows 8 Friendly 

If you remotely connect to a Windows 8 system (or Windows Server 
2012 ) via RDP, you’ll find the experience is less than awesome because 
the default RDP settings don’t capture the local hot key combinations 
that are used elsewhere in Windows 8. To allow RDP to send the Win 
hot key to a remote Windows 8 (or Server 2012) system, go to the 
Remote Desktop Connection option and select the Local Resources 
tab. In the Keyboard drop-down menu, select On the remote com¬ 
puter, or if you run RDP in full screen (which I don’t), select Only 
when using the full screen. 

(?) Get Over It 

There are some things you’re just not going to get—at least not with 
this first release of Windows 8. Start button: gone. Aero: gone. Recent 
Items: gone. Windows Media Center: gone (technically, you should 
be able to get it as a paid add-on for Windows 8 Professional). DVD 
playback: gone (that’s right, you need Windows Media Center or a 
third-party program for this function— VLC is a popular option). 
Windows DVD Maker: gone. 

® If You Don't Want to Get Over It, Use Classic Shell 

Yeah, I know it’s not really a Windows 8 tip, but it might help you 
survive the move to Windows 8. If you really miss the Start menu, 
you can get it back with the free Classic Shell. You can download 
Classic Shell from SourceForge. I 
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Active Directory Disaster 
Recovery in the Wake 
of Hurricane Sandy 


T hanks to Hurricane Sandy and its angry little sister, Winter 
Storm Athena (since when did we start naming winter storms, 
too?), there’s been a lot of discussion about disaster recovery. 
Sadly, I think most companies still aren’t well prepared for disaster 
recovery. I chalk it up to human nature. We all tend to believe that 
bad things happen only to the other guy. On a personal level, how 
many of you have wills? How many of you have left all your account 
passwords in such a way that your spouse knows how to find them 
(in case you get hit by satellite debris on your way to work)? This 
same sense of denial exists on a corporate level for disaster recovery 
planning. With all that in mind, now is a good time to do a quick 
review of your Active Directory (AD) disaster recovery plan to see 
how disaster-ready it is. 

AD is the IT pro’s best-known identity store. From a physical view¬ 
point, AD can stand up to a disaster very well indeed. AD is highly fault 
tolerant because it’s a distributed application with its identity store 
replicated across multiple domain controllers (DCs). It’s somewhat 
more vulnerable to corruption from a logical viewpoint, but physical 
disasters rarely affect the logical architecture and the data it contains. 
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You Can't Wreck It if It Ain't There 

Of course, AD does have its vulnerable points, and if you design your 
forest poorly there are ways you can screw up its innate fault tol¬ 
erance. The first and most obvious rule is to have more than one 
DC in your forest. To larger businesses this is a no-brainer, but it’s 
not nearly as obvious for small businesses (e.g., if you’re running 
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various versions of Windows Small Business Server—SBS). If you 
do have more than one DC, kudos to you—but now we come to the 
second rule: Are those DCs in different locations? Separating DCs 
geographically is a well understood best practice among midsized 
and large businesses, but a small business probably doesn’t have a 
second location with a WAN link between the locations. In that case, 
you would separate them within your office, if possible. What do you 
do in the case of a disaster like Sandy, in which you have a little time 
to prepare? Shut down the DC that isn’t the Primary Domain Control¬ 
ler (PDC)/Relative ID (RID)/schema/infrastructure master, and take 
it home with you! Sure, it’s not the best security practice, but in this 
case isn’t it more important to keep the company (if you’ll pardon the 
expression) afloat? 

Let’s assume you’ve been able to check off these first two rules 
as done. Do you have a multi-domain forest? If so, are all your root 
domain DCs in the same location? If they are, you lose points on this 
item because if you have a multi-domain forest and lose all those 
root DCs due to a building disaster, you’ve lost the forest. A good AD 
design and a smart financial planning strategy have this principle in 
common: Diversity is key to getting through a wide variety of uncer¬ 
tain conditions. 

There's Nothing to Restore if You Don't Back It Up 

Diversity is no substitute for backing up your forest. A good backup- 
and-recovery strategy ensures that if you do lose your forest or some 
part of it, you can rebuild it. Your backup-and-recovery plan shouldn’t 
stop at the DC recovery level; it needs to provide for the chance that 
you lose the whole forest. First, make sure you back up two DCs in 
every domain. In a small business, this isn’t a big deal; you probably 
have only one domain. Does it matter which DCs you back up? In 
general, it isn’t crucial. Because we’re focusing on serious disaster 
recovery, however, there are choices you can make that will speed 
your forest recovery time. 
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The forest recovery process, as detailed in TechNet’s “ Planning for 
Active Directory Forest Recovery ,” creates a seed forest of one DC 
for every domain. Because there’s only one DC in each recovered 
domain, that box must hold all the operations master roles for the 
domain. Your recovery process will be a bit simpler and faster if the 
DC you recover already has these roles installed on it, so back up the 
DC that holds these roles (which are usually grouped together). 

If your forest has multiple domains, another consideration is for 
this target backup DC to not be a Global Catalog (GC) server. Why 
not? Because differences in backup versions between the authorita¬ 
tive DC in each domain and its GC replica in other domains can intro¬ 
duce lingering objects into the recovered forest (see the “ Removing the 
global catalog ” section of “Appendix A: Forest Recovery Procedures ” 
for details). Best practice is for all DCs to also be GC servers, so how 
do you reconcile this? Decide based on the size of your domain or for¬ 
est and the number of DCs in a domain. If you have a multi-domain 
forest with more than 10,000 users, unhosting a GC will take time that 
you won’t want to spend during a forest recovery. Also, you’ll probably 
have enough DCs in a domain that one of them not hosting a GC won’t 
be a problem. If you have a relatively small number of users in a multi- 
domain forest, you need the GC role more, and unhosting a small GC 
from a seed DC doesn’t take as long, so this tip doesn’t apply. 

Another choice you can make to hasten a forest recovery is to 
upgrade your DCs to Windows Server 2012 . How does the new OS 
make this process easier? The high-level process is to build a seed 
forest of one DC per domain, then build out this recovered forest 
with additional DCs. As I mentioned in “ How Windows Server 2012 
Improves Active Directory Disaster Recovery ,” Server 2012 can speed 
up the build-out process tremendously by allowing you to simply 
clone the seed DCs you’ve created. If you don’t have Server 2012, you 
can still speed up your forest build-out by quickly creating new mem¬ 
ber server virtual machines (VMs)—but you must promote them as 
you would any new physical server rather than simply cloning them. 
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There’s a whole new discussion possible now about how the cloud 
affects AD backup and recovery. For example, should you host virtual 
DCs in an Infrastructure as a Service (IaaS) service? Can Microsoft’s 
new Windows Azure AD service help you? I’ll save these discussions 
for a future column. 

Important But Not Urgent 

Recent weather events on the east coast should serve as a wake-up 
call for companies that haven’t taken the time to put together and test 
a solid AD disaster recovery plan. This activity falls into what the late 
Stephen Covey of The 7 Habits of Highly. Effective People fame calls 
Quadrant II: Important But Not Urgent. It’s not a coincidence that he 
says Quadrant II is where your best contributions are made. Place a 
priority on this important but not urgent task. Otherwise you’ll find 
yourself in, well, deep water. ■ 
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Troubleshooting Windows 
Server 2012 Virtualized 
Domain Controller Cloning 

No more deploying Sysprepped server images 
and manually promoting a domain controller 

W indows Server 2012 introduces a feature called Virtualized 
Domain Controller (VDC)—which Windows IT Pro covered 
in “ Cloning Virtual Domain Controllers in Windows Server 
2012 .” Essentially, you no longer have to deploy a Sysprep-prepared 
server image and then manually promote a domain controller (DC). 

Instead, the cloned DC automatically performs a subset of Sysprep 
operations and promotes the DC with the existing local Active Direc¬ 
tory Domain Services (AD DS) data as installation media, consum¬ 
ing administrator-provided settings such as computer name and IP 
address. This allows faster deployment of new DCs in production or 
test labs, simplified disaster recovery, and the ability to scale out in 
hosting and branch-office scenarios. 

As with all things in your computing environment, you might 
need to troubleshoot this process. This month, I want to share the 
troubleshooting techniques that Microsoft established for VDC during 
its development over the past two years. 

Understand the Cloning Steps 

Most cloning issues turn out to be related to human error. My most 
important point in this article is a common realization among users: 

“When I fail to clone a DC, I usually find that I missed a preparatory 
step.” There are a number of requirements to cloning and steps you 



Ned Pyle 

is a former senior support 
escalation engineer for the 
Commercial Technical Support 
team at Microsoft, where he 
was editor of the Ask the 
Directory Services Team blog . 
He is now a senior program 
manager in the Windows 
Server development group at 
Microsoft. He resides in 
Seattle, Washington. 

Email 
Blog 



WWW.WINDOWSITPRO.COM 


Windows IT Pro / January 2013 27 











What Would Microsoft Support Do? 


A 


must follow exactly in order to succeed. There’s no cloning wizard, 
and that puts responsibility on you to get the procedure right. When 
you flub a stage, cloning fails. 

With that in mind, I want to distill the cloning process down to a 
handful of operations. In essence, you’ll prepare the environment, 
prepare the source DC, and create the cloned DC: 

1. Validate that the hypervisor supports VM Generation ID and 
therefore cloning. 

2. Verify that a Server 2012 server holds the PDC Emulator role 
and that the Primary Domain Controller (PDC) is online and 
reachable through remote procedure call (RPC). 

3. Authorize the source DC for cloning. 

4. Remove incompatible services and programs, or add them to 
the CustomDCCloneAllowList.xml file. 

5. Create DCCloneConfig.xml. 

6. Take the source DC offline. 

7. Copy or export the source DC, and add the XML files if not 
already copied. 

8. Create a new virtual machine (VM) from the copy. 

9. Start the new VM to commence cloning. 

To see the end-to-end steps, review “ Virtualized Domain Controller 
Deployment and Configuration ” on TechNet. It’s worth the read, 
trust me. 

Know Your Symptoms 

If you make a misstep in these steps, cloning fails and the VM will 
boot up in Directory Services Repair Mode (DSRM). This mode pro¬ 
tects your environment from accidental duplication of DCs. Once you 
fix the problem and remove the DSRM boot flag, you can restart the 
DC and it will try to clone again. Naturally, knowing the DSRM pass¬ 
word is crucial. You can set the password during promotion of the 
source DC, or you can use Ntdsutil.exe later. Fancy folks maintain the 
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password automatically—check out our blog post “ PS Restore Mode 
Password Maintenance . ” 

If you miss step 5 and you’re using automatic IP addressing, you’ll 
end up with a duplicate DC. This one is a bummer to fix (see “ DC 
cloning fails with no DSRM, duplicate source and clone computer ”), 

so if you get nothing else out of this article, remember step 5! This 
issue is as old as AD itself, but in the VDC era it becomes more likely. 

Finally, you need to understand where cloning ends and promotion 
begins. VDC ultimately results in a DC promotion and replication, and 
if those go wrong you 
return to the classic 
DC troubleshooting 
of the past decade. 


Know Your 
Methodology 

Figure 1 shows a dia¬ 
gram I like to keep 
around as something 
to jog my memory. 
It’s based on the 
most common issues 
I saw during internal 
dogfooding, public 
beta testing, and 
worldwide training 
of Microsoft support 
and field engineers. 
So don’t feel bad if 
you run into one or 
more of these prob¬ 
lems—you’re in good 
company! 



Figure 1 

Cloning/Promotion 
Methodology Diagram 
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First, ensure that cloning succeeded. If it didn’t, determine whether 
the server is in DSRM. If it isn’t in DSRM, the DC is now a duplicate 
and you should be following the steps in the Microsoft article “ DC 
cloning fails with no DSRM, duplicate source and clone computer .” 

If it is in DSRM, the safeguards against duplication worked and you 
should examine the Directory Services event log. 

Which leads me to another point: Always check the Directory Ser¬ 
vices event log! This log contains all the cloning events (2160-2228 
and 29218-29267) and should be your first stop for any troubleshoot¬ 
ing. The log will reveal whether you made a common mistake: 

• Is the hypervisor supported? 

• Does an incompatible application need to be in the CustomDC 
CloneAllowList.xml allow list? Does the CustomDCCloneAllow 
List.xml contain valid entries? 

• Is the PDC emulator online and available through the RPC protocol? 

• Is the DC a member of the Cloneable Domain Controllers group? 

Is the Allow a DC to create a clone of itself permission set on the 
domain root for that group? 

• Is the IP address or computer name either duplicated or invalid in 
the DCCloneConfig.xml file? 

• Is the AD site invalid in the DCCloneConfig.xml file? 

• Is the IP address not set in the DCCloneConfig.xml file, and is no 
DHCP server available? 

• Does the DCCloneConfig.xml file contain syntax errors that pre¬ 
vent correct parsing? 

• Did DC promotion fail after cloning began successfully? 

There are less common issues, too. Was the maximum number of 
auto-generated DC names (9,999) exceeded? Is the MAC address dupli¬ 
cated? Is the PDC Emulator replicating so that it knows the security 
group change happened and its partners know it holds the PDC role? 

I highly recommend using the New-AdDcCloneConfigFile Windows 
PowerShell cmdlet because it helps you avoid XML syntax errors—but 
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don’t treat it as a crutch. It has no idea whether you typed in a bad IP 
address or an invalid computer name. Microsoft did its best to make the 
event log entries actionable. For example, in Table l’s example, it’s clear 
that I tried to clone a source Server 2012 computer on an unsupported 
hypervisor (in this case, it was a Windows Server 2008 R2 Hyper-V 
host). In Table 2’s example, I accidentally added the name of an existing 
computer into my DCCloneConfig.xml file. Because I can’t create a new 
DC when another one already exists with the same name, cloning fails. 


Table 1 : Actionable Log Entry #1 

Event ID 

2169 

Source 

Microsoft-Windows-ActiveDirectory_DomainService 

Severity 

Informational 

Message 

There is no VM Generation ID detected.The DC is hosted on a physical 
machine, a down-level version of Hyper-V, or a hypervisor that does not 
support the VM Generation ID. 

Additional Data 

Failure code returned when checking VM Generation ID: %1 


Table 2: Actionable Log Entry #2 

Event ID 

2199 

Source 

Microsoft-Windows-ActiveDirectory_DomainService 

Severity 

Error 

Message 

<COMPUTERNAME> failed to create the following cloned DC object 
because the object already exists. 

Additional Data: 

Source DC: %1 

Object: %2 
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The System event log and \%systemroot%\debug\dcpromo.log might 
also contain useful information about cloning failures. Remember that 
once cloning is complete, DC promotion still has to finish. For a com¬ 
plete list of events—as well as expected cloning log behaviors—review 
“ Virtualized Domain Controller Troubleshooting . ” As the author of that 
article, I warn you not to read it while operating heavy machinery! 

Core Servers 

By now, you’ve noticed that Server 2012 defaults to Core installations, 
which have no graphical shell and require that you perform opera¬ 
tions with a command prompt or PowerShell. This fits well with the 
VDC philosophy of deploying scalable managed environments with 
minimal OS overhead. But when was the last time you read an event 
log from the command line? There’s no eventvwr.exe tool on Core 
servers. Never fear! You have a few options: 

• Run Wevtutil . 

• Run the PowerShell cmdlet Get-WinEvent. 

• Enable the Windows Firewall rules for the Remote Event Log Man¬ 
agement groups to allow inbound communication. Doing so allows 
remote tools such as Event Viewer to connect. You can use Group 
Policy to deploy this policy to all your existing DCs, as Figure 2 
shows, and it will be on the clone copy if you run into problems. 


Figure 2 

Using Group Policy 
to Allow Inbound 
Communication 


Grau? Policy MarugEmedl Editor 


FJf Atfign Uiib Help 


Prikia 

P 

a ja WM mvd 

p Mimi-fcewMiQriPptifi 
^ Sirjsls \:&iilup-3-uldfrwn; 

j i 

P ACEDUlt PcIioH 
p .j LocdfaHcfes 

b j frir* Us 

p i Fttlii-'lfid G’l'.vj 
p • Sirrtfnii S^r.-«rfF 

P a flunky 

P a 

p " 'iSmd hitucifc |EEE 5IZ.3 
a Jj FHh-lP F4-ttl id 

a gg '.s.irraH.c Fiifapk /Mr 
CJ inbeuiPid Rdts 


Nirni Gmup * 

& E .«i| Ltg MinigtfiitfK -TtP- ril Remote Evert Lag MwiigfimtfTl 

■J F&i-oie EsML Lag Mimgcmeifw -PPC' FmtVfsU Log t-'jujgdnitiii 

t> R«n-El« E-.epI LMinig-iifiir* vFPC EPMAF) Rt-rult ELeg tWaiigirninl 


32 Windows IT Pro / January 2013 


WWW.WINDOWSITPRO.COM 




















What Would Microsoft Support Do? 


Important: Don’t try to add the graphical shell back to a server 
while in DSRM. Microsoft doesn’t support this. The server won’t boot 
correctly, forcing you to discard the VM and start over. 

Reattempting Cloning 

Once you review the Directory Services event log and fix your prob¬ 
lem, you still have a clone server that always boots in DSRM. You can 
use MSConfig to remove this flag: Select the Boot tab, and then under 
Boot Options clear the Safe boot option and click OK. If you’re on a 
Core server, use BCDEdit : 

bcdedit.exe /deletevalue safeboot 

In either case, when you restart the computer, cloning will read the 
DCCloneConfig.xml file and try again. There’s no limit to the number 
of times you can try, but let’s hope you get it right on the first attempt! 

Don't Forget the Knowledge Base 

If the Directory Service events aren’t making sense or you just can’t 
figure out what’s gone wrong, don’t forget about your pal the Micro¬ 
soft Knowledge Base. It contains all of the known VDC issues, along 
with guidance and repair steps. Here’s a query for all of the Server 
2012 VDC articles if you just want them in your back pocket. I hope 
you find the Server 2012 VDC feature compelling: We designed it with 
your business and feedback in mind. ■ 
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FAQ 

Answers to Your Questions 

Q B What improvements has Microsoft made in 

■ Windows 8 and Windows Server 2012 to reduce 
the number of Kerberos authentication errors due to 
token bloat and too-large Kerberos tickets? 

A a Starting with Windows 2000, Kerberos is the default Win- 
■ dows authentication protocol. Microsoft extended the base 
Kerberos protocol to enable a Kerberos authentication ticket to include 
authorization data. A Windows Kerberos ticket and ticket-granting ticket 
(TGT) both contain a special field called the Privilege Attribute Cer¬ 
tificate (PAC), which enables Kerberos to transport authorization data, 
such as user group memberships, in the Kerberos authentication tick¬ 
ets. There are some architectural limitations in Windows related to the 
PAC, which can make user authentication fail under certain conditions. 
These limitations are commonly referred to as the token bloat problem. 

The first limitation relates to the size of the PAC field, which is finite. 
As a consequence, the number of groups that can be added to it is also 
limited. The limit for user group memberships is about 1,015. This num¬ 
ber is because the PAC can hold only 1,024 SIDs, and we also must 
subtract from this number a varying number of well-known groups that 
the Windows Local Security Authority (LSA) automatically adds to each 
access token. The access token is the most important Windows autho¬ 
rization artifact that the Windows LSA constructs from a user’s domain 
authorization data in the Kerberos PAC and the local user authorization 
data in a machine’s local security database. See the Microsoft article 
“ Users who are members of more than 1,015 groups may fail logon 

authentication” for more information about this limitation. 



Jan De Clercq 



John Savill 



Michael T. Smith 
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But the practical group membership limit is in some cases even lower: 
You can get Kerberos authentication problems with about 130 group 
memberships. Besides the hard-coded 1,024 PAC group membership 
limit, there’s also another limit that makes Kerberos authentication fail 
across certain communication protocols when the PAC becomes too big. 

This second limitation is rooted in some architectural and design lim¬ 
its that are part of Kerberos and communication protocols such as HTTP. 
The Windows Kerberos implementation uses a buffer to store the autho¬ 
rization information that’s transported in the PAC, and it also reports 
the size of this buffer to protocols that use the Kerberos protocol for 
authentication. The HTTP protocol, for example, uses this buffer size 
when it allocates memory for authentication. Therefore, if the size of 
the authorization data for an authenticating user is larger than the Max 
TokenSize, then the authentication across an HTTP connection will fail. 

The size of the authorization buffer is determined by the Max 
TokenSize registry key that’s located in \HKEY_LOCAL_MACHINE\ 
SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. The 
default buffer size in Windows 7 and Windows Server 2008 R2 is 
12,000 bytes. In Windows 8 and Windows Server 2012 , the default 
MaxTokenSize value has been increased to 48,000 bytes. 

You can obviously adjust the MaxTokenSize to accommodate more 
groups, but knowing what value to set it to isn’t an easy exercise. 
Microsoft provides the tokensz.exe tool to help you with this process; 
you can get this tool and more info from the Microsoft Download Cen¬ 
ter: Tokensz . Also, the MaxTokenSize value has an upper limit. The 
maximum allowed value of MaxTokenSize is 65,535 bytes. However, 
because of the way the HTTP protocol encodes authentication context 
tokens, Microsoft recommends that you don’t set the MaxTokenSize 
registry entry to a value larger than 48,000 bytes. 

To make it easier for administrators to configure the MaxTokenSize 
parameter and to reduce the number of authentication errors caused 
by token bloat, Windows 8 and Server 2012 include some important 
changes. 
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Windows 8 and Server 2012 come with two new Group Policy 
Object (GPO) settings that are related to MaxTokenSize. The first GPO 
setting makes it easier to set and enforce the MaxTokenSize regis¬ 
try value using GPOs. It’s called Set maximum Kerberos SSPI context 
token buffer size, and it’s located in the \Computer Configuration\ 
Administrative Templates\System\Kerberos GPO container; Figure 1 
shows the GPO options. See the Microsoft article “ How to use Group 
Policy to add the MaxTokenSize registry entry to multiple computers ” 

for a summary of how to enforce MaxTokenSize values on different 
Windows versions. 
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Figure 1 

Setting Options for 
the New Set maximum 
Kerberos SSPI context 
token buffer size GPO 


The second setting is called Warning for large Kerberos tickets and 
it’s located in the \Computer Configuration\Administrative Templates\ 
System\KDC GPO container; Figure 2 shows the options for this GPO. 
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Figure 2 

Setting Options for the 
New Warning for large 
Kerberos tickets GPO 



When you enable this GPO setting, you must enter a Kerberos ticket 
threshold size. This setting lets you configure at what threshold size 
Kerberos tickets will trigger a ticket-size warning event (with Event ID 
31, a new Event ID for Server 2012 and Windows 8) in the Windows 
System event log. 

You can use this setting to determine the exact value you should set 
for the MaxTokenSize key in your Active Directory (AD) environment. 
Previously, you were forced to use the relatively complex tokensz.exe 
tool to determine an optimal MaxTokenSize value. If you disable or 
don’t configure this setting, the threshold value for sending warning 
events defaults to 12,000 bytes, which is the default MaxTokenSize 
value on Windows 7, Server 2008 R2, and earlier Windows versions. 

Finally, in Server 2012, the Kerberos Key Distribution Center (KDC) 
service that runs on every domain controller (DC) also optimizes the 
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storage of group SIDs in the PAC in order to further reduce the PAC 
size and reduce the number of Kerberos authentication errors. This 
feature is called KDC Resource Group Compression. To compress 
resource group SIDs, the KDC stores the SID of the resource domain 
to which the resource group belongs only once. Then, it inserts only 
the Relative Identifier (RID) portion of each resource group SID into 
the authorization data. 

Because some third-party Kerberos implementations don’t under¬ 
stand KDC Resource Group Compression and this could cause 
interoperability problems, you can disable the feature on the level of 
your Server 2012 DCs. Set the DisableResourceGroupsFields registry 
key in the \HKLM\Software\Microsoft\Windows\Current Version\ 
Policies\System\Kdc\Parameters container to value 1. Learn more 
about Kerberos-related changes in the Microsoft TechNet article 
“Wha t’s New in Kerberos Authentication . ” 

—Jan De Clercq 
InstantDoc ID 144669 

■ How do I set a custom page I created in my 

■ SharePoint site as my home page? 

■ You can make a custom page in your SharePoint site be the 

■ home page. Depending on whether you’re a developer or 
an administrator, you have several options for doing this: 

• If you enabled the Publishing features on your site, or your site 
was created from a Publishing template, just go to Site Actions, 
Site Settings and click Welcome Page, then select a page. 

• You can open the site in SharePoint Designer, right-click any 
.ASPX page, and select Set as Home Page. 

• You can set the home page by using code. See the MSDN page 
“ SPFolder.WelcomePage property ” for more information. 

• You can use the following Windows PowerShell script to select a 
master page: 
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$site = Get-SPSite http://yourserver/sites/yoursite 
$web = Ssite.RootWeb 

(or $web = $site.OpenWeb("yoursubsite") 

$folder = Sweb.RootFolder 
Sfolder.WelcomePage = "SitePages/home.aspx" 

(or Sfolder.WelcomePage = "default.aspx") 

(or Sfolder.WelcomePage = "Shared%20Documents/ 
mycustomwebpartpage.aspx") 

Sfolder.updateO 

Sweb.DisposeO 

$site.Dispose() 

For SharePoint 2007, replace the first line of this script with the following: 

[System.Ref1ection.Assembly]::LoadWithPartialName("Microsoft 
.SharePoint") 

Ssite = New-Object Microsoft.SharePoint.SPSite("http://your 
server/sites/yoursite") 

— Michael T. Smith 
InstantDoc ID 144879 

Q b Is it true you can’t disable User Account Control 
■ in Windows 8? 

A b User Account Control (UAC) is a key technology in the later 
■ Windows OSs, including Windows 8 , and is required for 
WinRT-based applications to run. It limits the privileges available dur¬ 
ing a logon session for privileged users, such as an administrator. Intro¬ 
duced in Windows Vista, it prompted users frequently when elevation 
of privileges was required. Windows 7 reduced the number of prompts 
by offering more control over prompting via the Change User Account 
Control settings option in User Accounts, which Figure 3 shows. When 
the setting is set to Never notify, UAC is actually disabled. 
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Figure 3 

Windows 7 UAC 
Settings 


However, in Windows 8, the Never notify setting doesn’t disable 
UAC; instead, this setting removes any prompts to the user, and when 
an application requests privilege elevation, it happens automatically. 
But the application still has to be UAC aware and request that eleva¬ 
tion. If the application assumes it has administrator privileges and 
doesn’t ask for elevation, it will fail. It’s important that processes 
such as application installations use a true software deployment sys¬ 
tem to ensure correct privileges are available. 

To really disable UAC in Windows 8, you would have to modify 
the EnableLUA value in the registry at \HKEY_LOCAL_MACHINE\ 
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 
a value of 0 and reboot. However, this isn’t supported and will block 
the “Modern” applications—so don’t do it. 

—John Savill 
InstantDoc ID 144462 
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Q m If I enable Secure Boot on my Windows 8 
■ machine, can I still dual-boot multiple OSs? 

A a In Windows 8 computers, a feature enabled by the Unified 
■ Extensible Firmware Interface (UEFI)—Secure Boot—was 
designed to keep certain OSs and software from loading during startup. 
Secure Boot provides a secure handoff between the hardware and 
the desired OS, ensuring other code, such as malware, can’t get in 
between the hardware and the signed OS, or impersonate the OS. 

When Secure Boot is used, people often question whether a dual¬ 
boot can still be done, allowing multiple OSs to boot on a single piece 
of hardware. These are the dual-boot scenarios that can work: 

• Windows 8 and another Windows 8 installation 
• Windows 8 and Windows 8’s Windows to Go feature (for USB) 

• Windows 8 and certain Linux distributions with the loader 
signed, that are trusted by the hardware 

Dual-boot scenarios between Windows 8 and Windows 7 won’t work, 
because the Windows 7 UEFI implementation requires a compatibil¬ 
ity mode to be used, which doesn’t work with Secure Boot. ■ 

—John Savill 
InstantDoc ID 144402 
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What’s new and what’s changed 



I f you’ve been around for a while, you’ve probably worked with 
the Windows Automated Installation Kit (Windows AIK), Micro¬ 
soft Application Compatibility Toolkit (ACT), Microsoft Assess¬ 
ment and Planning (MAP) Toolkit, Windows Deployment Services 
(WDS), Microsoft Deployment Toolkit (MDT), and Microsoft System 
Center Configuration Manager 2007. The release of Windows 8 intro¬ 
duces many new deployment tools, as well as feature enhancements 
to some of these existing ones. 

Revisiting the Old Tools 

In case the tools that I mentioned earlier are new to you, here’s a brief 
explanation of each: 

• Windows AIK contains several (mostly) command-line utilities 
such as Deployment Image Servicing and Management (DISM), 
User State Migration Tool (USMT), Volume Activation Manage¬ 
ment Tool (VAMT), Copype, Oscdimg, and ImageX. 

• ACT keeps track of applications that exist in your environment, 
allowing you to categorize, prioritize, and analyze application 
compatibility for Windows 7. Applications that don’t run properly 
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on Windows 7 can be mitigated to run as well as possible, by 
applying ACT shims. ACT requires agents to be installed on each 
client machine, to gather application information. 

• MAP accesses hardware to ensure that minimum OS requirements 
are met. These minimum requirements can be defined to reflect 
your corporate standards. MAP provides information about which 
machines need to be upgraded or replaced prior to the deploy¬ 
ment of Windows 7. 

• WDS provides Preboot Execution Environment (PXE) boot ser¬ 
vices, Windows Preinstallation Environment (WinPE) to boot, 
deployment of OS images, and multicasting. WDS is commonly 
integrated with MDT and Configuration Manager for PXE boot 
and multicasting functionality. 

• MDT provides a unified, simplistic usage of the Windows AIK 
tools. Most of these tools are command-line only, and each has 
a unique syntax, which can make them time consuming to learn 
and difficult to use. MDT removes the complexity of the Windows 
AIK tools by providing friendly wizards that ask simple questions. 
Under the hood, MDT takes care of all the detailed and varied 
syntax of each tool. 

• Configuration Manager 2007 can perform Zero Touch Installations 
of OS deployments (OSDs), even on computers that don’t have the 
Configuration Manager client agent running. Integrating MDT into 
Configuration Manager 2007 provides the most flexible and robust 
deployment solution available from Microsoft. One of the most 
powerful features of integration is the ability to completely design 
your deployment wizard by using the user-driven interface. This 
interface lets you design (beginning to end) how your deployment 
wizard appears and the order in which the pages are presented. 

New Deployment Tools 

With the release of Windows 8, Windows AIK is being retired. In its 

place is a new toolkit, Windows Assessment and Deployment Toolkit 
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(Windows ADK), which helps to ensure that your applications, hard¬ 
ware, and drivers are compatible with the new OS. In addition, Micro¬ 
soft Security Compliance Manager (SCM) helps you quickly and easily 
manage your Group Policy Object (GPO) security settings. A long- 
awaited improvement to WDS 2012, which now includes the Expected 
Deployment Results Wizard, is the ability to filter drivers based on the 
model of client machines. MDT 2012 Update 1 now supports System 
Center 2012 Orchestrator runtime books as a task in a deployment. And 
last but not least. Configuration Manager 2012 gets a complete facelift, 
embracing the System Center management framework. If you aren’t 
quite ready to deploy Windows 8, don’t worry: You can still enjoy all 
the new tools and features when deploying Windows 7. 

Windows Assessment and Deployment Toolkit 

Windows ADK can be installed on Windows Server 2012 , Windows 8, 
Windows 7, Windows Server 2008 R2, and Windows Server 2008. 
The only requirement is that .NET Framework 4 is installed. The 
documentation for Windows ADK states that if .NET Framework 4 
isn’t installed, the installation process will automatically install it. 
However, this didn’t happen when I installed Windows ADK. I pur¬ 
posely left .NET Framework 4 uninstalled so that I could test the 
Windows ADK installer. I was a little disappointed to see that the 
installation failed until I manually installed .NET Framework 4. Once 
.NET Framework 4 was present, the installation continued without 
a hitch. (The machine on which you’re installing Windows ADK 
does need Internet access.) Installation of Windows ADK can be a bit 
intimidating if you find the 10-page Microsoft document that explains 
the different ways you can perform the installation (i.e., from the 
Internet, by downloading adksetup.exe and running it locally, or by 
using command-line switches). During the installation, packages are 
downloaded from Microsoft, based on the Windows ADK features 
that you chose to install (as shown in Figure 1). Table 1 lists the Win¬ 
dows ADK features and their functionality. 
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Figure 1 

Installing 
Windows ADK 


' Assessment and Deployment Kit 


Select the features you want to install 

Click a feature name for more information, 
r Application Compatibility Toolkit (ACT) 

Deployment Tools 

J7 Windows Preinstallation Environment [Windows PE) 

V User State Migration Tool (USMT) 

Volume Activation Management Tool {VAMT) 
p" Windows Performance Toolkit 
Microsoft SQL Server 2012 Express 




Application Compatibility Toolkit (ACT) 

Size: 24.4 MB 

Tools to evaluate and mitigate application compatibility issues 
before deploying a new version of Windows. 

ACT requires access to a database. The database must be SQL 
Server 2005 (or Express Edition) or later. Ton can install SQL 
Server or use an existing installation. 


Estimated disk space required: 
Disk space available: 


Back 


Install 


3,1 GB 
19.3 GB 


Cancel 


Table 1: Windows ADK Features 

Feature 

Functionality 

New to Windows 8 

ACT 

Gathers application data running in 
your environment; tracks, prioritizes, 
categorizes, and mitigates applications 

Application Compatibility Manager is 
the central tool; inventory collection is 
now available for x64 clients 

Deployment tools 

• DISM 

• Windows System Image Manager 
(Windows SIM) 

• Oscdimg, DISM API, Bcdboot, 

WIMGAPI 

• Help and Support 

• Captures and applies images using 
PowerShell cmdlets; support for 
mounting and servicing .wim and 
.vhd images 

• Creates unattend .xml answer files 

• Additional deployment tools and 
accompanying APIs 

• Customizes the Help and Support 
pages: Home, Escalation, and Browse 

WinPE 4.0 

Scaled-down version of Windows 8 
used to boot a computer with network¬ 
ing capabilities to capture or apply an 

OS image 

Makewinpemedia.cmd creates a 
bootable WinPE, which can be placed 
on a USB flash drive or used as an ISO 
that can be burned to CD; supports 
.NET Framework 4 
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Table 1: continued 

Feature 

Functionality 

New to Windows 8 

Windows Assessment 
Toolkit 

Measures performance, reliability, and 
functionality 

Assesses performance of one or more 
computers; measures system startup 
and shutdown, media streaming, out- 
of-box experience (OOBE), system idle 
time, overall energy efficiency; offers a 
Results database tool 

Windows Performance 
Toolkit (WPT) 

Records system events and analyzes 
performance data in a GUI 

Replaces Xperf, Windows Performance 
Recorder, and Windows Performance 
Analyzer; new Issues window lists 
detailed information; offers full-text 
search capabilities 

USMT 

Migrates users'data, settings, and appli¬ 
cation settings 

/Verify switch verifies status of each file 
in an existing migration store;/Extract 
switch can extract files from a com¬ 
pressed migration store; improved error 
management provides more detailed 
summary information in ScanState and 
LoadState logs 

VAMT 

Manages activation of OSs and Micro¬ 
soft Office products 

New Ul; computer information is now 
stored in SQL Server (SQL Server 2008 

R2 is recommended but SQL Server 
Express is also supported); five new 
Volume License reports 


Security Compliance Manager 2.5 

SCM 2.5 makes managing GPO security settings during deployment a 
snap. You can do everything from using the default baselines to creat¬ 
ing custom GPO Packs for deployment to machines that might never 
join a domain yet need to be as secure as domain-joined machines. 
The ability to document your existing GPO settings in a Microsoft 
Excel spreadsheet in less than 15 minutes is just one SCM feature: 

• Get access to a great educational tool that explains GPO setting 
details, vulnerabilities, potential impact, and countermeasures. 

• Export GPO security settings from a domain-joined machine and 
document existing GPOs. 
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• Create GPO Packs that can be deployed to all newly deployed 
machines, whether or not they join a domain. 

• Compare GPO settings from two machines to determine the differ¬ 
ences. 

• Merge two GPO security settings, carefully selecting the desired 
setting to create a more solidified set of GPO settings. 

Some new deployment tools deploy GPO Packs by default, based 
on the OS that’s being deployed. For example, MDT 2012 Update 1 
has four GPO Packs that can be deployed, based on the OS: Win7SPl- 
MDTGPOPack, WinVistaSP2-MDTGPOPack, WS2008R2SPl-MDTGPOPack, 
and WS2008SP2-MDTGPOPack. These GPO Pack settings are docu¬ 
mented on The Deployment Guys blog . 

Windows Deployment Services 

WDS has some nice new features, including better driver manage¬ 
ment, pre-staging new devices, the Expected Deployment Results 
Wizard, and support for standalone WDS servers that don’t require 
Active Directory (AD). New WDS features and enhancements include 
the following: 

• When importing drivers into WDS, the new auto-detection of 
duplicate drivers is enabled and prevents importing the same driv¬ 
ers into multiple driver groups. 

• Pre-staging devices can be done in the WDS snap-in. In the past, 
pre-staging was performed in the Micrososft Management Console 
(MMC) Active Directory Users and Computers snap-in. 

• The Expected Deployment Results Wizard helps to identify which 
driver groups will be applied to pre-staged devices if a deploy¬ 
ment is performed. 

• Standalone WDS servers are much easier to implement with the 
new built-in PXE providers and multicasting. 

• You can add .vhd images through the WDS snap in. In the past, a 
Wdsutil command was necessary. 
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• Now, .vhdx image formats are supported and provide sparse 
dynamic representation. 

• You can now assign a priority to boot and install images, to deter¬ 
mine the order in which images are presented during deployment. 

• TFTP and multicasting of images over IPv6 is supported. 

• Actual deployments are faster. In the past, images were deployed 
in two steps: Download the image to a target machine, and then 
apply the image. Now images are applied as they’re downloaded. 

• Deployment of ARM clients is supported. 

• One of the best new features is the ability to filter drivers based 
on model, as shown in Figure 2. 



• Pre-staging computers makes them known to WDS, one of its 
strongest security features. My favorite security setting is to set 
the PXE response to Respond to all Known and Unknown Comput¬ 
ers, but administrative approval must be given for unknown com¬ 
puters. The new Add Prestaged Device Wizard, which Figure 3 


Figure 2 

Filtering Drivers 
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Figure 3 

Add Prestaged Device 
Wizard 


shows, lets you set from 
which server the PXE 
client will PXE boot and 
retrieve its PXE prompt 
policy. You might be won¬ 
dering what a PXE prompt 
policy is and what it does; 

I certainly did. A PXE 
prompt policy defines what 
happens after a network 
boot is initiated—settings 
such as whether someone 
needs to press F12 to con¬ 
tinue the PXE boot process, 
whether client machines 
automatically PXE boot 
unless Esc is pressed, or 
whether to boot a custom PXE network boot program. 

• The Boot Image option lets you specify the default boot image 
(WinPE) to boot when PXE boot is completed. You can also set 
the unattend answer file to be used for this client when an instal¬ 
lation is performed, as well as the settings for joining the newly 
deployed machine to a domain. 



Microsoft Deployment Toolkit 2012 Update 1 

MDT isn’t new to the deployment world. This free deployment tool from 
Microsoft performs Lite Touch Installation (LTI), which means that a 
human must touch the target machine even if only to initiate a boot. 
The newest version, MDT 2012 Update 1, offers new enhancements: 

• Capturing user state in-use files is no longer an issue. Files that 
are used by programs such as Outlook (e.g., address books) can 
be opened by the program upon boot to help ready it for use. 
These open files previously had locks that prevented them from 
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being included when users’ data and settings were captured, but 
this issue has been resolved. 

• Windows PowerShell 3.0 scripts are now supported. 

• The Microsoft Diagnostic and Recovery Toolkit (DaRT) 8 is sup¬ 
ported, to provide remote control of target machines during 
deployment in the WinPE phase and additional tools to assist in trou¬ 
bleshooting failed deployments for Software Assurance (SA) clients. 

• The Zero Touch Installation and user-driven interface task 
sequences have been combined. 

• Orchestrator runtime books are supported in task sequences. A cou¬ 
ple features offered by Orchestrator are the ability to move a computer 
during deployment from one organizational unit (OU) to another and 
to create a service request in the event of a failed deployment. 

• The Microsoft Customer Experience Improvement Program (CEIP) 
now gathers more information about how MDT is being used. 

• A user-driven interface has been added to MDT and lets you fully 
customize your deployment wizard to fit your environment’s needs. 

Configuration Manager 2012 

Configuration Manager 2012 has a completely new look: the System 
Center management framework. The major changes in Configura¬ 
tion Manager 2012 are the UI, site hierarchy, state-based application 
deployment model, and terminology. The OSD feature hasn’t changed 
much; when integrating MDT 2012 Update 1 with Configuration Man¬ 
ager, the MDT OSD task sequence hasn’t changed drastically. 

• The new UI uses the System Center framework as the administrative 
console (Microsoft.ConfigurationManagement.exe), instead of using 
the MMC interface that Configuration Manager 2007 and 2003 used. 
Embrace the Ribbon and Wunderbars, shown in Figure 4. The Wun- 
derbars are at the bottom-left corner of the UI and control configu¬ 
ration of Asset and Compliance, Software Library, Monitoring, and 
Administrations. Selecting a Wunderbar determines the features you 
can configure and monitor and the reports you can create. 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / January 2013 


51 



Cover Story 


Figure 4 

New Administrative Ul 
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• Applications can be deployed in a state-based manner. You can 
identify an application as always being installed. Then, based on 
scanning intervals that you define. Configuration Manager clients 
are scanned and missing applications are installed. You can also 
specify that an application should never be installed; based on 
your scanning interval, any such applications that are detected 
will be removed. 

• There’s a new type of site: central administration. Only large or 
geographically dispersed companies need a central administration 
site; most companies can create a standalone primary site. A central 
administration site by itself can’t deploy applications or perform 
OSDs; in fact, you can’t even designate management or distribution 
points. Mainly, a central administration site is designed to link mul¬ 
tiple primary sites. If you’re in a small to midsized organization or 
setting up a lab environment, start with a standalone primary site. 

• There are two changes to terminology. Instead of advertising a 
task sequence to a collection, you now deploy the sequence. Also, 
mandatory OSDs are now referred to as required OSDs. 

• The configuration of client monitoring in a WinPE phase for Con¬ 
figuration Manager 2012 has been streamlined. 


52 Windows IT Pro / January 2013 


WWW.WINDOWSITPRO.COM 

















Windows 8 Deployment Tools 


• Distributing content for an entire task sequence is much easier. 
Typically, an OSD task sequence has multiple packages that need 
to be distributed to distribution points. In Configuration Manager 
2012, you can highlight the OSD task sequence and choose Distrib¬ 
ute Content. All packages associated with that task sequence will 
be updated on your distribution points, as shown in Figure 5. 



Figure 5 

Updated Packages 


New Tools, New Features 

I hope that this article helps you understand the new Microsoft deploy¬ 
ment tools and what you can do with them. Look for future step-by- 
step articles on these new tools and features. And as always, I would 
love to hear from you about deployment issues that you’re having or 
enhancements that you’d like to see made to the new tools. ■ 
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New Release 


Windows« 

The new client OS represents radical departure from previous Windows versions 


W indows 8, Microsoft’s latest client OS, features a new UI designed to be tablet 
touch-friendly, and became available to customers via software upgrades or 
with new PC purchases on October 26, 2012. Windows 8 represents a radical 
departure from previous Windows versions and is arguably the most dramatic upgrade 
Microsoft has yet developed. 

The system is essentially a brand-new mobile platform that has been melded onto the 
traditional Windows desktop, giving users what Microsoft calls a “no compromises” experi¬ 
ence that blends the best of mobile with the best of Windows. Windows IT Pro brings you 
ongoing coverage of Windows 8, with in-depth treatment of significant features, breaking 
news, and analysis. Visit our Windows 8 page for the latest news and technical features. ■ 
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Windows 8 In-Depth 

► Video: Windows 8 Keyboard and Mouse Survival Guide 

► Windows 8 Upgrade Offer for PC Buyers Goes Live 

► Windows 8 Client Virtualization 

► Start: The Windows 8 Era Begins 

► Welcome to Windows 8 

► Enterprises: Now's the Time to Get Your Windows 8 On! 

► Upgrade from Windows 8 Enterprise Eval? Nope 

► Installing Windows 8 Enterprise Edition Product Key 

► Windows 8 Review, Part 1: The Desktop 

► Will IT Departments Rush to (or Away from) Windows 8? 

► Windows 8 Review, Part 2: You Got Your Metro in My Windows 
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Windows 8 Features 


► 

Windows 8 Feature Focus: Windows Store 

► 

Windows 8 Feature Focus: Settings Sync 

► 

Windows 8 Feature Focus: File Explorer 

► 

Windows 8 Feature Focus: Live Tiles 

► 

Windows 8 Feature Focus: From Pre-Release to RTM 

► 

Windows 8 Feature Focus: Charms 

► 

Windows 8 Feature Focus: Start Screen 

► 

Windows 8 Feature Focus: Lock Screen 

► 

Windows 8 Feature Focus: BackTip 


Windows 8 Feature Focus:Tiles 

► 

Windows 8 Feature Focus: Contracts 

Windows 8 Tips 

► 

Windows 8 Tip: Use Windows 7 System Image Backup 

► 

Windows 8 Tip: Complete Windows 8 with Windows Essentials 2012 

► 

Windows 8 Tip: Use Trackpad Multi-touch Gestures 

► 

Windows 8 Tip: Pin Favorite Apps in Start Search 

► 

Windows 8 Tip: Picking a Backup Strategy 

► 

Windows 8 Tip: Upgrade from Windows 7 

► 

Windows 8 Tip: Upgrade from Windows XP 

► 

Windows 8 Tip: Upgrade from Windows Vista 

► 

Windows 8 Tip: Upgrade from the Release Preview 

► 

Windows 8 Tip: Customize the Desktop 

► 

Windows 8 Tip: Customize Live Tiles 

► 

Windows 8 Tip: Customize the Start Screen 
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by Colin Spence 


JANUARY 2013 


The Essential Guide to 

Preparing for a Migration to 
Microsoft SharePoint 2013 


I t is well known that Microsoft Share- 
Point offers a wide range of collabora¬ 
tion and document management tools, 
adding in the last several versions extensive 
social networking, business intelligence, 
and cloud-related capabilities. With the lat¬ 
est release of SharePoint 2013, Microsoft 
has once again upped the ante in terms of 
tools, features, and capabilities of the soft¬ 
ware. As with any other upgrade decision, 
the organization must carefully consider 
the return on investment of a SharePoint 
upgrade, or consolidation of multiple prod¬ 
ucts to the SharePoint environment. 

This white paper addresses a number 
of the primary challenges in preparing for 
a full or partial migration to SharePoint 
2013 by breaking down the process into 
several key steps: 


1. Does it make sense for the organiza¬ 
tion to upgrade to SharePoint 2013? 

2. What is within the scope of the 
upgrade (“source content”)? 

3. What will the new SharePoint 2013 
architecture look like (“destination 
design”)? 

4. And finally, how will the data and 
content be migrated? 

By examining these components, deci¬ 
sion makers in the organization can then 
develop a focused plan of action, and then 
budget for the hardware, software (both 
Microsoft and third-party) and labor ser¬ 
vices that are required for the migration. 


Windows ’to AvePoint 


Special Advertising Supplement to Windows IT Pro 


Sponsored by AvePoint 


















Feature Enhancements 

In attempting to determine whether 
it makes sense for the organization to 
upgrade to SharePoint 2013, it helps to first 
understand what is new and improved in 
the SharePoint 2013 product family. From 
real world experience, organizations will 
rarely implement every feature in the 
product. The range of features to be lev¬ 
eraged typically varies based on the level 
of experience the organization has with 
the SharePoint product family, and based 
on the type and number of legacy applica¬ 
tions that are to be replaced. It also matters 
which version of SharePoint 2013 is imple¬ 
mented, as the different editions—Founda¬ 
tion, Standard, and Enterprise—each have 
different features and capabilities. 

For example, if an organization has never 
used SharePoint before, and simply wants 
to replace a ten-year-old intranet that is 
static and stale, the list of features to be 
implemented and leveraged is typically 
quite limited, and the SharePoint Founda¬ 
tion 2013 product might suffice. However, 
if an organization has been supporting 
SharePoint for five years, and wishes to 
replace a competitor’s Enterprise Content 
Management (ECM) system (such as Doc- 
umentum or eRoom) as well as create an 
Extranet and provide a platform for devel¬ 
oping complex Business Intelligence dash¬ 
boards, the list of features will be more 


extensive and SharePoint 2013 Enterprise 
may be required. 

While it is out of the scope of this paper 
to cover all of the feature enhancements in 
SharePoint 2013, the primary areas that are 
typically highlighted when discussing Share- 
Point 2013 updates include the following: 

• Branding: While Microsoft has made 
great strides in this area, many users 
still find the interface “clunky” or 
“ugly” and feel that a more appealing 
look and feel will add to the value of the 
software. Many new features have been 
added to SharePoint 2013 in this area 
to enhance the organization’s ability to 
configure the look and feel of the Share- 
Point 2013 environment. These include 
a Design Manager for Publishing Site 
Collections, improved site navigation 
that is driven by managed metadata, 
image renditions to create different ren¬ 
ditions of source images, as well as new 
content publishing features. SharePoint 
2013 introduces the Product Catalog site 
collection template, as well as Content 
Search Web Part, Control Template, and 
Item Display Template for more granu¬ 
lar control over the display of search 
results. Additionally, device channels 
allow you to render a single site in 
multiple ways by using different designs 
that target different devices, such as 
smart phones or tablets. 


Special Advertising Supplement to Windows IT Pro 


Sponsored by AvePoint 





• Mobile devices: Many improvements in 
SharePoint 2013 enhance the capability 
of mobile devices to access SharePoint 
data. For example. Contemporary View 
offers an optimized mobile browsing 
experience and renders in HTML5, and 
device channels can be used to render 
views differently for different devices. 
Push notifications can alert mobile 
device users of documents being added 
to libraries or similar events. Access to 
Business Intelligence dashboards cre¬ 
ated in PerformancePoint is enhanced to 
support iOS devices. 

• Search: The core search architecture has 
changed slightly, and now Web serv¬ 
ers do not host any search components. 
They are instead hosted on Application 
servers in the SharePoint 2013 farm. 
Many improvements have been added, 
including document previews for certain 
common document types, and there are 
many improvements in areas such as 
relevance, ranking model, analysis of 
which items people are actually clicking 
in search results, crawling, and analysis. 

• Social computing: SharePoint 2013 intro¬ 
duces the concept of communities to the 
SharePoint environment, with new Com¬ 
munity site templates that offer a “forum 
experience” to visitors who can partici¬ 
pate in discussions and become members 
if they like. The My Sites user interface 


is upgraded and now includes Microblog 
and Newsfeeds features. 

For more advanced SharePoint users and 
developers, the following list of improve¬ 
ments may provide significant value in the 
final solution: 

• Business Connectivity Services (BCS): 

There are numerous new and enhanced 
capabilities of BCS in SharePoint 2013. 
Fundamentally, BCS allows you to use 
SharePoint 2013 as an interface into 
data that resides somewhere other 
than in SharePoint 2013 to build “dash¬ 
boards” or “mashups.” BCS can access 
external data sources through Open 
Data (OData), Windows Communica¬ 
tion Foundation (WCF) endpoints, web 
services, cloud-based services, and .NET 
assemblies, or through custom connec¬ 
tors. For example, SharePoint 2013 BCS 
tools allow developers and power users 
to integrate external data into Share- 
Point lists by using the external data 
column. 

• Business Intelligence (BI): Included in 
the SharePoint 2013 Enterprise product, 
the BI tools in SharePoint 2013 include 
the following: Excel 2013, Excel Services, 
PerformancePoint Services, Visio Ser¬ 
vices, and tools in Microsoft SQL Server. 
With enhancements in this area, end 
users can more easily explore data and 
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conduct analysis in Excel Services reports 
that use SQL Server Analysis Services 
(SSAS) data or PowerPivot data models. 
The BI Center is easier to use, Perfor- 
mancePoint filters are more powerful, 
and searching is now possible within fil¬ 
ter members. The server-side dashboard 
migration feature allows you to move 
PerformancePoint content from one site 
or server to another site or server. 

• eDiscovery: eDiscovery tools in Share- 
Point 2013 include the ability to manage 
eDiscovery from a central eDiscovery 
Center and discover content from mul¬ 
tiple SharePoint 2013 farms, multiple 
Exchange 2013 servers, and multiple file 
shares. Preserved content in SharePoint 
2013 is still editable, while users with 
eDiscovery permissions can see the pre¬ 
served version of the content. 

• Workflow: Workflows have become 
increasingly popular on the SharePoint 
platform, but many organizations have 
struggled with limitations in the seal- 
ability, performance, and reliability of 
workflows created in SharePoint 2010 
and previous versions. SharePoint 2013 
supports SharePoint 2010 workflows 
(which run on Windows Workflow 
Foundation 3) but also allows for cre¬ 
ation of workflows on the new Win¬ 
dows Workflow Foundation 4, which 
uses the new Workflow Manager tool 


and Windows Server AppFabric compo¬ 
nent. SharePoint 2013 workflows move 
the workflow processing onto an exter¬ 
nal host, the Azure Service Bus, which 
allows for greater scalability and cloud- 
based workflow processing. 

Defining the Scope of the Migration 

The analogy of moving into a new house 
or a new office is applicable and useful in 
migration scenarios. Most people would 
agree that it makes sense to go through their 
possessions when moving to a new house 
and throw out a certain percentage, donate 
others, and then keep the remainder while 
making sure that what is kept is organized 
when placed in the new residence. 

A one-to-one move or migration can 
be quite complex, of course, and then if 
the organization decides to move/migrate 
many-to-one, the complexity increases. 
For a “standard” SharePoint 2013 upgrade 
from a previous version of SharePoint, 
the out-of-the-box upgrade paths are very 
limited. Microsoft only supports direct 
upgrades from the previous version of the 
product, or specifically from SharePoint 
Foundation 2010 or SharePoint Server 2010 
Standard or Enterprise. 

It is worth noting that the database- 
attach method is the only supported way 
to upgrade databases to a new environ¬ 
ment that is based on SharePoint 2013: The 
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in-place upgrade is no longer offered. In- 
place upgrades were rarely used since most 
organizations use the migration process to 
implement the latest Windows Server oper¬ 
ating system, newer and faster hardware, 
virtualized servers, or even cloud-based 
environments. So, upgrading an existing, 
and often imperfect, environment to run 
on effectively obsolete hardware and oper¬ 
ating system rarely made business sense. 

The following database types can be 
upgraded to SharePoint 2013 products: 

• Content databases (including My Sites) 

• Service application databases 

Business Data Connectivity 

Managed Metadata 

PerformancePoint 

Secure Store 

Search 

User Profile 

Note: After a site collection is migrated 
via the database attached method, a site 
collection administrator can leave it with 
the old SharePoint 2010 look and feel, 
or upgrade the site collection to the new 
SharePoint 2013 user interface. 

It is recommended—at a bare minimum— 
to review the following settings when pre¬ 
paring for a migration from SharePoint 2010 
to SharePoint 2013: 

• Web application settings 

• Service Application settings including: 


Which Service Applications are in 
use and providing business value 
User Profile settings 
Search settings 
Managed Metadata term sets 

• Alternate access mappings 

• Authentication providers and authenti¬ 
cation modes that are being used 

• Quota templates 

• Managed paths 

• Self-service site management settings 

• Incoming and outgoing e-mail settings 

• Customizations including: 

Solution packages 
Applications based on the Share- 
Point platform 

Branding and navigation customiza¬ 
tions 

• Certificates 

Additionally, it is recommended to gather 
information about the legacy environment: 

• Number of site collections and size of 
content databases 

Determine if any modifications are 
needed in terms of number of site 
collections and map out the new 
structure 

• Complete list of sites per site collection 
(including My Sites) 

Determine if any reorganization is 
required when moving to the new 
environment 
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• Number of content databases 

Determine if modifications are 
needed in terms of the number of 
content databases, and map out the 
new structure 

• Workflows in use 

Identify out-of-the-box SharePoint 

2007 or 2010 workflows 

Identify SharePoint Designer 2007 

or 2010 workflows 

Identify third-party or Visual Studio 

workflows 

• Forms in use 

Customized .aspx forms 
InfoPath forms 
Other forms 

As may be apparent by now, there are 
many “moving parts” to a migration, and 
from the author’s experience of leading 
many migrations for organizations of dif¬ 
ferent sizes, most organizations will run 
into a number of challenges in the migra¬ 
tion process. When additional sources of 
data and content are added to the mix, 
the complexity increases dramatically, 
and Microsoft doesn’t offer out-of-the- 
box migration methods in most cases, so 
third-party migration tools are extremely 
valuable. AvePoint has been providing 
migration and management tools for the 
SharePoint platform since its inception in 
2001 and offers a wide range of migration 


tools that can save the organization a 


great deal of time and effort when migrat¬ 
ing from legacy systems and previous ver¬ 
sions of SharePoint. Figure 1 shows the 
migration tools available from AvePoint 
for migrating content. 
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Figure 1 - Migration tools available from AvePoint 


Architectural Basics 

With the scope of the migration defined, 
the design of the new SharePoint environ¬ 
ment can now be efficiently completed. A 
SharePoint architectural plan must take 
into account the hardware and software 
that will power the servers, as well as the 
components of SharePoint that will be 
used in the end solution. Creating such a 
plan can be a very involved process, but 
for the purposes of this white paper, the 
process will be broken down into core 
components to illustrate some of the chal¬ 
lenges when planning for an upgrade or 
migration. 
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One of the first things that typically hap¬ 
pens in a SharePoint architectural design 
session is that the configuration is drawn 
up on a white board or in an application 
such as Microsoft Visio. From this per¬ 
spective, the main components haven’t 
changed from SharePoint 2010 and are dis¬ 
cussed below. 

To begin, the number of SharePoint 2013 
servers that will be deployed and the roles 
each will play need to be defined. While 
the smaller organizations may get by with 
an all-in-one server, this is almost never 
recommended for production use, even for 
smaller companies. Following are some 
recommendations for determining the 
number of servers and their roles in the 
farm: 

• The 64-bit edition of Windows Server 
2008 R2 Service Pack 1 (SP1) Standard, 
Enterprise, or Datacenter, or the 64-bit 
edition of Windows Server 2012 Stan¬ 
dard or Datacenter is required, among 
other prerequisites, to install SharePoint 
2013. 

• Building on this platform, it is then 
recommended that you differentiate 
between Web servers and Application 
servers in the production farm: 

Web Server (aka Web Front End 
Server): The SharePoint 2013 soft¬ 
ware is installed on these serv¬ 
ers. Two or more Web servers are 


typically recommended as a start¬ 
ing point to organizations of all 
sizes, with hardware load balancing 
devices typically recommended to 
balance end-user requests. These 
servers host Web Pages, Web Ser¬ 
vices, and Web Parts that are neces¬ 
sary to process end user requests. 
Also, the Web server directs 
requests to the appropriate Applica¬ 
tion servers. 

Application Server: SharePoint 
2013 software is also installed on 
these servers. Then, the Share- 
Point components that “live” on 
these servers can be configured 
by the SharePoint Farm Adminis¬ 
trators. Two or more Application 
servers are typically recommended 
for redundancy purposes. How¬ 
ever, the SharePoint software 
handles redundancy and load 
balancing in this area—not exter¬ 
nal devices. Services on the Server 
page in Central Administration 
lists the different Service Applica¬ 
tions that can be assigned to spe¬ 
cific Application servers. Figure 2 
shows a subset of the Service 
Applications available in Share- 
Point 2013 Enterprise that can be 
configured to meet organizational 
requirements. 
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Figure 2 - A subset of the Service Applications available in SharePoint 2013 Enterprise that can be configured to meet 
organizational requirements 


• The next step is to discuss the required 
database server configuration: 

Database Servers: SharePoint 2013 
supports either the 64-bit edition 
of Microsoft SQL Server 2012 or 
the 64-bit edition of SQL Server 
2008 R2 Service Pack 1. Smaller 
organizations may choose a single 
SQL Server machine, but most 


organizations choose multiple serv¬ 
ers for redundancy purposes. With 
SQL Server 2012, the AlwaysOn 
Availability Groups (AOAG) con¬ 
figuration is a popular configura¬ 
tion for organizations with rigorous 
availability and failover require¬ 
ments (see Figure 3). AlwaysOn 
Availability Groups represent the 
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Figure 3 - A SharePoint 2013 configuration that includes SQL Server 2012 AlwaysOn Availability Groups 


latest evolution in database mirror¬ 
ing technology that enables zero 
data loss through log-based data 
movement. 

• Finally, the organization needs to deter¬ 
mine how many farms are required for 
the overall solution. For example, most 
organizations have a very robust pro¬ 
duction farm, and some have failover 
farms, as well as “Staging” or “QA” 
testing farms and “Development” 
farms. 

After completing this process it is not 
unusual to have filled the white board or 
Visio diagram with upwards of a dozen 
servers in multiple farms. While this may 
seem like overkill, experience with hun¬ 
dreds of organizations of different sizes has 
proven the importance of a multi-tiered. 


fault-tolerant and redundant environment 
when critical data and business processes 
are powered by SharePoint. 

There are, of course, many other con¬ 
figuration options and technologies to 
consider when configuring a SharePoint 
2013 farm, especially for larger organiza¬ 
tions that are geographically distributed 
or wish to include cloud technologies in 
their solution. Most organizations will 
seek the assistance of a professional con¬ 
sulting firm to assist in this process to 
ensure that the foundation for the Share- 
Point environment is properly sized and 
designed. 

Going Forward 

This guide focuses on the process involved 
with defining a migration strategy and plan 
of action for migrating from SharePoint 2010 
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to SharePoint 2013, and gives suggestions 
for designing a strategy to migrate from 
multiple sources of content (e.g., file shares, 
LiveLink, eRoom, Vignette) to a SharePoint 
2013 environment. 

While the Content Database Attach 
method may work for “basic” SharePoint 
2010 to 2013 migrations, Microsoft doesn’t 
support migrations from previous versions 
of SharePoint (such as SharePoint 2007 or 
2003), nor does Microsoft offer tools to 
migrate from other third-party products. 
Therefore it is strongly recommended that 
any organization challenged with a more 
complex migration investigate migration 
and management tools from AvePoint. 
Furthermore, AvePoint DocAve Online 
provides cloud-hosted tools for performing 
many valuable tasks, including managing 
content, backup and restore, and replicat¬ 
ing content between SharePoint locations. 
AvePoint tools also provide many other 
powerful capabilities that are advanta¬ 
geous to SharePoint farms, site collection, 
and site administrators. 
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New Release 



Windows Server2012 

Improvements in storage, virtualization, and management are worth a look 


W indows Server 2012, arguably the most significant server release Microsoft has 
ever offered, became available for evaluation and purchase to customers around 
the world on September 4, 2012. Server 2012 offers a simplified licensing model 
that includes all features of the OS in all editions of Server. You’ll find improved manage¬ 
ment capabilities in Server Manager and PowerShell. Storage improvements are numer¬ 
ous, and Hyper-V enhancements include scalability, live migration upgrades, and storage 
live migration capabilities. Windows IT Pro brings you ongoing coverage of Server 2012, 
with in-depth treatment of significant features, breaking news, and analysis. Visit our 
Windows Server 2012 page for the latest news and technical features. ■ 
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Top 10 Windows Server 2012 FAQs 


O How do I remotely view a Remote Desktop session in Windows Server 2012? 

0 What features does NTFS support that ReFS does not support? 

© How many network adapters can be combined in a single Windows Server 2012 native NIC team in a virtual machine? 

O I'm using Windows PowerShell to create a new Windows Server 2012 native NIC team, so why isn't the -Confirm flag working to 

suppress the configuration prompt? 

0 How many network adapters can be combined in a single Windows Server 2012 native NIC team on a physical host? 

© How do I create a native NIC team in a Windows Server 2012 VM running on Hyper-V? 

Q How do I hot-add memory to a Windows Server 2012 Hyper-V virtual machine? 

O If I upgrade a Hyper-V host to Windows Server 2012 from Windows Server 2008 R2, will VMs keep running during the upgrade? 

O Are Windows NT 4 and Windows 2000 quest OSs supported on Windows Server 2012 Hyper-V? 

0 Where are the KMS keys for Windows 8 and Windows Server 2012? 
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Windows Server 2012 Articles 



► Microsoft's Cloud OS: A Vision of Infrastructure's Future 


► Navigating Storage Spaces and Pools 

► Integrating vSphere and Hyper-V 

► Introducing Windows Server 2012 

► New Features in Windows Server 2012 Server Manager 

► Windows Server 2012 Essentials: Access the Server Remotely 

► Windows Server 2012 Sprints Through the Finish Line 

► Getting Around in Windows Server 2012, Part 2: Server Manager 

► Windows Server 2012 Essentials: Domain vs. Workgroup 

► Get Ready for Windows Server 2012 Hyper-V 

► Cloning Virtual Domain Controllers in Windows Server 2012 

► Windows Server 2012: Foundation vs. Essentials 

► Video: Getting Around in Windows Server 2012 Server Manager 

► Windows Server 2012 Essentials: Connect Client PCs without Using a Domain 

► Windows Server 2012 and SQL Server 2012: Better Together 

► New Ways to Enable High Availability for File Shares 

► Microsoft Releases Windows Server 2012 to Manufacturing 

► Top 10 Windows Server 2012 Storage Enhancements 

► Is Microsoft Trying to Kill Windows Server? 

► Getting Around in Windows Server 2012, Part 1 

► Shared-Nothing VM Live Migration with Windows Server 2012 Hyper-V 
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Top 10 vSphere 
Performance Tips 

Get the best possible performance 
from your ESXi virtual machines 

B ased on numerous VMware vSphere ESXi installations at vari¬ 
ous clients with differing configurations, I’ve developed a top 
10 list of tips that an ESXi administrator can use to increase the 
performance of virtual machines (VMs). Hopefully you can use some 
of these tips to get the best possible performance on your ESXi VMs. 

Tip #1: ESXi Host Memory and Memory Overcommit 

The memory overcommit feature in ESXi lets you allocate more mem¬ 
ory to VMs running on an ESXi host than the amount of physical mem¬ 
ory installed on the host. Memory overcommit can be useful when you 
need to get a VM running in an emergency, but you should avoid using 
it. Many VM performance issues can be traced to not allocating enough 
memory to a VM or to overcommitting the memory on the ESXi host. 

If using the memory overcommit feature on a standalone ESXi host 
is a poor idea, it’s a potential train wreck when the ESXi host is 
connected to a cluster. We design ESXi clusters for N-l hosts. If one 
host goes down, can the remaining ESXi hosts handle the load? Let’s 
assume that you have a two-node ESXi cluster and each ESX host 
needs 32 GB of memory to avoid memory overcommit, based on the 
VMs that are running on each host. If one host fails, then all the VMs 
that were running on that host will automatically start on the remain¬ 
ing host—if you properly configured your high-availability cluster. 

In this example, you actually need 64GB on each host to avoid 
memory overcommit when one host goes down. If you have only 
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32GB of memory on each host and one of the hosts fails, then the 
performance of all the VMs on the remaining host will suffer because 
the remaining ESXi host will be 50-percent memory overcommitted. 

Whenever I install a new ESXi cluster, I use vMotion to migrate 
all the VMs off one host to another ESXi host (or hosts). Then I lis¬ 
ten for the silence. In other words, no one should complain or even 
notice that one of the ESXi hosts was shut down. This verifies that the 
design is solid and can meet the computing needs of the client, even 
when one ESXi host fails. I suggest purchasing an ESXi host that can 
hold at least 256GB of memory for future expansion. 

I get prices for the individual DIMMs and look for the point at which 
the price/DIMM density becomes nonlinear. For example. Table 1 lists 
approximate prices of Double Data Rate 3 (DDR3) DIMMs for the HP 
ProLiant DL380 G7 Server. The prices are relatively linear up through 
the 8GB DIMM. However, the price difference between 8GB and 16GB 
is significant. For example, if I need an ESXi host with 96GB of mem¬ 
ory, I would purchase twelve 8GB DIMMs ($2,040) rather than six 
16GB DIMMs ($2,880). I use this purchasing strategy even though I 
know that I might need to replace the 8GB DIMMs in the future to 
reach the maximum capacity of the server. (By the time I need the 
memory upgrade, the 16GB DIMMs will probably be less expensive 
than the 8GB DIMMs at today’s prices.) 

Several clients have reminded me that when you increase the mem¬ 
ory in a server over a certain amount—96GB with the DL380 G7—the 
memory speeds drop. For 
example, if you go up to the 
maximum of 144GB in the 
DL380 G7 host, speeds drop 
from 1,333MHz to as low 
as 800Mhz. Although this 
is true, I argue that not hav¬ 
ing the memory will have 
a greater negative effect 


Table 1: Pricing Levels per DIMM 

DIMM Size 

Price 

2GB 

$48 

4GB 

$93 

8GB 

$170 

16GB 

$480 
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than slowing down the memory speeds. Random memory access is 
approximately 100,000 times faster than disk access. So even with 
the drop in memory speeds, 800MHz memory is still roughly 60,000 
times faster than disk access. 

For example, I just helped perform a Microsoft Exchange Server 
2010 migration for a client. All the Exchange servers are VMs in an 
ESXi cluster. To handle the additional load of Exchange 2010, we 
needed to increase the memory in each host by 96GB, from 64GB to 
160GB. With this configuration. Exchange 2010 is fast and stable. No 
one noticed that the memory speeds dropped to 800MHz, but every¬ 
one would have noticed if we hadn’t installed the additional memory 
prior to the Exchange 2010 migration. The bottom line: Make sure 
that you have enough memory in your ESXi host, and avoid using the 
memory overcommit feature for the best possible performance. 

Tip #2: ESXi Host CPU Cores 

You can’t have too many CPU cores on your ESXi host. With vSphere 5 
Enterprise Plus, you can configure a VM with as many as 32 virtual 
CPUs (vCPUs). CPU clock speed on the host doesn’t matter as much 
as the number of cores. If I had to choose between a faster clock 
speed and more CPU cores. I’d select the latter. 

vSphere is licensed by socketed CPU, so it makes sense to get a 
CPU with as many cores as possible. You might be able to configure 
an ESXi host with fewer physical CPUs, which you’ll probably save 
on vSphere licensing costs. CPU cores are especially important when 
you have VMs that will run CPU-intensive applications such as SSL 
encryption or Microsoft SQL Server. 

Tip #3: VM Memory 

It’s important to configure each VM with the proper amount of mem¬ 
ory. Exchange 2010 and Exchange 2007 are a few of the more memory- 
hungry applications. For a 10-user Exchange server running the Client 
Access Server, Hub Transport Server, and Mailbox Server roles and 
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management tools, the server requires about 16GB of memory! A 
300-user Exchange server with the same roles requires about 72GB of 
memory for optimal performance. Know the memory requirements of 
your applications, and allocate the appropriate amount of memory to 
each VM without overcommitting the memory on the ESXi host. 

The x64 Windows platform can natively address up to 2TB of mem¬ 
ory. If your VM is running an x64 OS, then you can somewhat compen¬ 
sate for poor disk performance on a VM by allocating more memory 
to the VM and caching the data. Of course, if an ESXi host is already 
memory-overcommitted and you increase the amount of memory allo¬ 
cated to a VM, you’ll probably make the VM slower, not faster. 

Tip #4: Number and Configuration of vCPUs on a VM 

When calculating the number and configuration of vCPUs on a VM, 
it’s important to know the application running on each VM. If the 
application is SMP-aware, then increasing the number of vCPUs on 
the VM should increase its performance—as long as you’ve allocated 
an appropriate amount of memory to the VM and as long as the ESXi 
host isn’t memory-overcommitted. 

With vSphere 5, you can specify the number of vCPUs and the num¬ 
ber of cores on each vCPU. For example. Exchange 2007 isn’t an SMP 
application. If you determine that an Exchange 2007 server is CPU- 
bound and running on a vSphere 5 ESXi host, you can increase the 
number of cores on the vCPU while keeping only one vCPU. If the VM 
is running Exchange 2010, which is an SMP application, you’d increase 
the number of vCPUs, each with a single core, for the best performance 
increases. Your mileage might vary, so perform some tests to determine 
the optimal vCPU/core configuration for your environment. 

Tip #5: Paravirtual SCSI Driver 

If you’re running in an ESXi cluster connected to a Fibre Channel or 
iSCSI SAN, you can get better disk throughput (10 to 25 percent) at 
a given level of CPU performance on the host. You’ll see this benefit 
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only when the hosts are connected to a SAN, not DAS. The VMware 
Paravirtual SCSI driver does have some limitations: 

• The Paravirtual SCSI driver is supported only on VMs running 
Windows Server 2008 R2, 2008, 2003 R2, or 2003, or Red Hat 
Linux 5. 

• The VM must run VM hardware version 7 or later. 

• Fault-tolerant VMs can’t use the Paravirtual SCSI driver. 

Tip #6: VM Snapshots 

Snapshots are a great tool that can quickly get you out of a bind when 
an upgrade or patch goes sideways. As a general rule, make a snap¬ 
shot of a VM just before you perform any upgrades or patches. If the 
upgrade goes smoothly, you can incorporate the changes from the 
snapshot or delta file into the base image of the VM. Otherwise, you 
can revert back to the state of the VM prior to the snapshot. 

VMs with active snapshots write any changes to a differencing disk 
or delta file while the snapshot is active. If you leave a snapshot 
active on a VM for a long time and multiple changes are made to 
the VM, the delta file can grow very large; you can even run out of 
space in the storage group. For this reason, I suggest that you snap a 
VM, perform the upgrade, verify that everything is working, and then 
remove the snapshot from the VM. Don’t leave the snapshot on the 
VM active just because you might need it. Of course, an active snap¬ 
shot also slows down the performance of the VM. This performance 
hit is most noticeable when the ESXi host is already heavily loaded. 
Unnecessary active snapshots on a VM hurt VM performance and 
increase the chances of running out of disk space on the VM. 

Tip #7: iSCSI SANs and Jumbo Frames 

The Maximum Transmission Unit (MTU) default frame size is 1,500 
bytes. Enabling jumbo frames on an iSCSI SAN increases the MTU to 
9,000 bytes. This increase allows more data to be transmitted in each 
packet, boosting performance by 5 to 15 percent on an iSCSI SAN. 
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The benefit tends to be greater on 10 Gigabit Ethernet iSCSI SANs 
versus 1 Gigabit Ethernet iSCSI SANs. 

Of course, you must make sure that you enable jumbo frames 
on every device that’s connected to the SAN fabric. These devices 
can include the SAN controllers, SAN switches, ESXi NICs, and fire¬ 
walls that connect to the SAN fabric. If you miss just one device on 
your iSCSI SAN, you’ll probably decrease its performance because 
of dropped frames. You can use the Iometer utility to determine the 
performance increase before and after enabling jumbo frames on 
an iSCSI SAN. If you experience a performance drop, you probably 
missed one or more devices in your SAN fabric. 

Tip #8: SAN Infrastructure 

Always use a dedicated network for your SAN fabric. A few years 
ago. Fibre Channel over Ethernet (FCoE) was all the rage, but it never 
really gained popularity. In my opinion, the best cost/performance 
SAN solution is 10 Gigabit Ethernet iSCSI. It has better performance 
than even 8 Gigabit Ethernet Fibre Channel, and at a lower cost. 

Tip #9: Disk and RAID Configuration and SSDs 

With vSphere 5, you can now designate a storage group that com¬ 
prises solid state disk (SSD) drives. If an SSD storage group has been 
defined, vSphere 5 uses it for memory page swapping. Ideally, you 
should have enough memory in the ESXi host to avoid page swap¬ 
ping, but if your server already has the maximum memory installed, 
this option might be interesting. The performance won’t be as good 
as native memory on the host but will still be better than swapping 
to non-SSD storage on the host. As a general rule, try to avoid using 
RAID 6 for storage groups, especially in write-intensive environ¬ 
ments. RAID 6 has two copies of parity, so writes are very expensive. 
If you want the additional fault tolerance of RAID 6 without taking a 
performance hit when writing to the disk, configure a RAID 5 array 
with one or more hot spares. 
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Another possible application of SSD drives provides extremely fast 
performance for x86 VMs that require fast disk access. For example, 
a client has a VM that’s running an x86 version of SQL Server, which 
can’t be upgraded for another year. In an x64 environment, I typically 
load up the VM with a lot of memory and cache the entire database. 
But an x86 OS can natively address only 4GB of memory, and the x86 
version of SQL Server can address only 2GB. In this situation, the cli¬ 
ent is going to store this x86 VM on a storage group made from SSD 
drives, for a significant gain in disk performance. 

Tip #10: Thin vs. Thick Disk Provisioning 

When you create a VM, you have the option of thin or thick provision¬ 
ing of the VM’s hard disks. Thin provisioning initially creates a small 
.vmdk file. This file starts out using only the space that’s stored on the 
disk and grows to the provisioned size. Thick provisioning creates a 
file on the ESXi host; this file is the same size as the disk size, regard¬ 
less of what’s initially stored on the disk. Thin-provisioned disks can 
save space on the storage group. However, you have a greater prob¬ 
ability of quickly running out of disk space on the storage group, and 
the performance of the disk can suffer because of potential disk frag¬ 
mentation. When the storage group is on a SAN, your results can vary 
because some SAN vendors actually use thin provisioning, even when 
the disks are thick-provisioned on a VM. As a general rule, however, 
I suggest thick provisioning disks. You’ll probably get better perfor¬ 
mance than with a thin-provisioned disk and will reduce the probabil¬ 
ity of running out of disk space on a storage group. 

A Happy Tune 

These performance tips are highly dependent upon factors in your 
environment. Getting the memory configuration right on both the 
ESXi host and the VM is the most crucial factor for VM performance. 
Happy performance tuning! ■ 

InstantDoc ID 143563 
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Managing Exchange 
ActiveSync Policies in 
Exchange Server 2010 

Control user and device access to EAS 

O nce upon a time, the only way to get your email on a mobile 
device was to use IMAP or POP (or Research in Motion’s 
BlackBerry devices, but I’m going to pretend like those don’t 
exist because soon they won’t). Either choice was widely—and cor¬ 
rectly—perceived as a bad deal. Neither protocol works especially 
well for mobile devices because each depends on connection-based 
polling. 

Microsoft surveyed this state of affairs and decided to attack it 
by developing a protocol and server application to provide direct, 
integrated mobile-device access for Exchange Server. That product. 
Mobile Information Server, was eventually integrated into Exchange; 
its protocol. Exchange ActiveSync (EAS), is now the de facto market 
leader for mobile email and calendaring. Even Microsoft’s staunch¬ 
est competitors, including Google and IBM, have adopted EAS as the 
basis of mobile-device access for their own email server products. 
EAS is making inroads on the desktop, too, now that the Windows 8 
Mail application and Microsoft Outlook 2013 both support its use. It’s 
too early to sound the death knell for Messaging API (MAPI), but we 
can envision a future in which EAS is the primary protocol used for 
Exchange synchronization. 

The EAS protocol itself is only part of the complete mobile-device 
access story for Exchange. There are four points of interest to us: 

• The EAS protocol defines how clients and Exchange talk to each 
other. The protocol defines how clients can synchronize data 
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with, and download device policies from. Exchange. Microsoft has 
released the EAS protocol specifications so that, in theory, anyone 
can release a completely functional EAS client just by reading the 
protocol docs and writing a client that follows them. 

• The server implements the protocol so that clients have some¬ 
thing to talk to. Different versions of Exchange implement dif¬ 
ferent EAS versions. For example. Exchange 2010 Service Pack 1 
(SP1) implements EAS 14.1, as does the preview version of 
Exchange 2013—although this might change when the final prod¬ 
uct is released. 

• Features that use the protocol let you do useful or interesting 
things. For example, EAS 14.1 provides a feature that lets compat¬ 
ible devices download Global Address List (GAL) photos. Depend¬ 
ing on the feature, you might or might not be able to enable or 
disable it through EAS policy settings. 

• Client apps use the EAS protocol to communicate with Exchange. 
Clients are free to implement whichever parts of the protocol and 
features they want. You can’t change which features clients sup¬ 
port unless you install a different client application, something 
that isn’t always possible. Microsoft and Apple ship EAS clients 
on their mobile devices; some Android device vendors do too, 
whereas others require the user to download an app such as 
TouchDown or RoadSync. (Note that the Microsoft article “ Cur¬ 
rent issues with Microsoft Exchange ActiveSync and third-party 
devices ” shows known EAS issues with different clients, but this 
list isn’t necessarily comprehensive.) 

The item of most interest to Exchange administrators is the server 
component. That’s where we get to control which devices and users 
are allowed to use EAS and what they can do with it when connected. 
(Microsoft controls the protocol, so we don’t get any control over it; 
mobile-client management is a thorny subject that I won’t address in 
this article.) 
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Controlling EAS Availability for Users 

By default, Exchange 2010 users have EAS device access. You don’t 
need to do anything to let users sync their devices—which might or 
might not be what you want. There are two competing schools of 
thought when it comes to EAS access. Some administrators prefer 
to leave access open to everyone, restricting only a subset of users 
(e.g., interns, contractors) who don’t need EAS access. Others pre¬ 
fer to turn off access for all users, and then re-enable it for selected 
users only. Both approaches are easy to implement; they just require 
a slightly different approach. 

You have three options for controlling which users are allowed to 
use EAS. First, you can enable or disable EAS on individual Client 
Access servers. This type of restriction is the broadest option: A Client 
Access server that has EAS disabled won’t accept EAS connections, 
even from users who are otherwise authorized. Think of it as having 
a coupon for free ice cream and then presenting it at your local car 
wash. EAS depends on having a properly configured virtual directory 
set up in Microsoft IIS on the Client Access server. So to disable EAS, 
merely go into IIS Manager on the Client Access server, right-click the 
MSExchangeSyncAppPool object, and choose the Stop command. To 
turn EAS back on, right-click the stopped pool and choose the Start 
command. 

Second, you can enable or disable EAS on individual users by using 
the Set-CASMailbox cmdlet. The ActiveSyncEnabled flag is what 
makes the magic happen. For example, you can use something like 
the following to enable all the users in the Sales OU for EAS (presum¬ 
ing that you’ve disabled it for everyone else): 

Get-Mailbox -OrganizationalUnit Sales | Set-CASMailbox 

-ActiveSyncEnabled:$true 

To disable EAS for one or more users, just pipe the target mailboxes 
to Set-CASMailbox with -ActiveSyncEnabled:$false. You can combine 
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Set-CASMailbox with whichever other Exchange Management Shell 
(EMS) cmdlets you want. Of course, if you’d rather, you can use the 
Exchange Management Console (EMC) instead: Just open the target 
mailbox’s properties and use the appropriate controls on the Mailbox 
Features tab. 

There’s a third way to control which users have access to EAS, and 
that’s to create an EAS mailbox policy and apply it to users. This is 
generally the most robust means of control because the EAS policy 
mechanism gives you the most control over what the devices—and 
thus the users—can do. 

Assigning and Removing EAS Policies 

EAS policies are applied to users; each user can have zero policies 
or one EAS policy at any given time. If you don’t explicitly assign a 
policy to a user, the default policy is applied instead. The Microsoft 
article “ Understanding Exchange ActiveSync Mailbox Policies ” speci¬ 
fies the default behavior of this policy, which is pretty much what 
you’d expect: Devices are allowed to sync without restriction, and no 
password policy is enforced, but devices can be remotely wiped. 

Now might be a good time to point out that the remote wipe fea¬ 
ture built in to EAS depends on the device receiving a policy update 
in the first place. During the initial sync of a new device (that is, 
one that hasn’t been synchronized to the server before), the device 
and server exchange what EAS calls a policy key. Think of the policy 
key as a GUID or MAC address; it’s a unique key that indicates one 
specific policy. If the device and server keys don’t match, the device 
is required to request the most recent policy and then apply it. The 
process of applying a policy to the device is known as provisioning. 
On most devices, the user will see a dialog box indicating that the 
server is applying a policy and asking whether to accept it. If the user 
declines the policy, the server might or might not allow the device 
to continue to sync to it; the exact behavior depends on whether the 
default policy on the server allows non-provisioned devices. 
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You can have multiple EAS policies defined; switching a user to a 
different policy is simple. The -ActiveSyncMailboxPolicy switch for 
Set-CASMailbox controls which policy is assigned to a given mailbox. 
You can assign a policy by specifying the policy as an argument to 
this switch. The simplest method is by calling Get-ActiveSyncMailbox 
Policy with the name of the policy you want, as in this example: 

Set-CASMailbox id paul@robichaux.net -ActiveSyncMailboxPolicy 
(Cet-ActiveSyncMailboxPolicy "Sales").Identity 

You can remove the existing policy by passing $null as the value to 
ActiveSyncMailboxPolicy. Doing so causes the user to get the default 
policy. There’s no way to have a user who doesn’t have any policy at 
all defined. 

Creating and Managing Policies 

On the Exchange side, EAS policies are pretty straightforward. The 
trick is to remember that not every device will implement every pol¬ 
icy setting, and that devices sometimes lie about which policy set¬ 
tings they actually implement. (A semi-official Wikipedia page shows 
the current state of client support for a variety of devices.) There are 
three ways of working with EAS policy objects: 

• In EMC, policies can be created and modified under the Exchange 
ActiveSync Mailbox Policies tab, which is under the Client Access 
node beneath the organization object. 

• In the Exchange Control Panel (ECP), you can create, remove, and 
modify EAS policies by using the ActiveSync Device Policy slice 
under the organization object’s Phone & Voice tab. 

• In EMS, you can use the *-ActiveSyncMailboxPolicy cmdlets to 
create and remove EAS policy objects (New-ActiveSyncMailbox 
Policy and Remove-ActiveSyncMailboxPolicy) or to view or 
change settings of an existing policy (Get-ActiveSyncMailboxPolicy 
and Set-ActiveSyncMailboxPolicy). 
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There are minor differences in terminology between these three imple¬ 
mentations, and not every configurable option is present in ECP. For 
simplicity. I’ll discuss the EAS interface as it appears in EMC. 

What's in a Policy? 

Let’s take a look at the major categories of available policy settings by 
touring the tabs in the policy Properties dialog box in EMC. 

Figure 1 

EAS Mailbox 
Policy Properties 



General tab. The General tab (see Figure 1) contains only three 

controls of interest: 

• A field in which you can change the policy name (which 
Exchange ignores anyway) 

• The Allow non-provisionable devices check box, which controls 
whether devices that don’t accept a policy can sync, and which 
might represent a risk when enabled, given that you’re essentially 
opening sync to any device, even one that can’t implement the 
policy or that’s blocked by the user 

• The Refresh interval (hours) check box and text field, which con¬ 
trol how often the server tells the device to request policy updates 
and which are cleared by default (meaning that the server never 
forces a timed update) but could be set to a value such as 24 
hours if needed 
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Figure 2 

EMC Properties 
Password Tab 


Password tab. The next (and arguably most important) group 
of settings appears on the Password tab (Figure 2) and controls 
device passwords, including whether a password is required. Most 
organizations that allow mobile-device access require the use of a 
password. Although entering a password can be inconvenient, it’s 
a useful security measure and usually worth the additional hassle. 
The settings on this tab include the following: 

• Require password —When the Require password check box is 
selected, the EAS policy forces the device to require a password. 
None of the other password options are active when this check 
box is cleared. If you select this setting without changing any of 
the other settings, the policy requires a simple 4-digit PIN. 

• Require alphanumeric password —If you don’t want to allow 
numeric-only passwords, the Require alphanumeric password set¬ 
ting lets you force users to use a character or symbol in addition to 
numbers. The biggest drawback to this requirement is that the on¬ 
screen keyboard that the device shows for password entry is easiest 
to see and use when it contains only numbers. Requiring alphabetic 
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characters means that the device must display its full alphanumeric 
keyboard, making password entry a little more difficult. 

• Minimum number of character sets—The Minimum number of 
character sets option should really be called something like “pass¬ 
word complexity,” because it specifies how complex the password 
must be. Character sets include lowercase letters, uppercase let¬ 
ters, symbols, and numbers. Setting this value to 2, for example, 
requires that the user pick a password that includes characters 
from at least two of those four sets. The default value of 1 allows 
users to specify all-numeric passwords. 

• Enable password recovery —When the Enable password recovery 
check box is selected, users can use Outlook Web App (OWA) 
to look up a device-specific recovery password, then enter that 
password to unlock the mobile phone. Exchange administrators 
can also use the EMC to look up recovery passwords. Windows 
Phone, Apple iOS, and most Android clients don’t support this 
setting, which is too bad. It’s a useful capability. 

• Require encryption on device and Require encryption on storage 
card —The two encryption requirements settings control whether the 
device is required to use onboard encryption to protect locally stored 
data. This is one area in which client software—Apple’s in particu¬ 
lar—has been caught failing to apply device encryption, but it seems 
that all the major client vendors now properly handle this setting. 

• Allow simple password —When selected, the Allow simple password 
check box allows the use of a simple 4-digit, numeric-only PIN. 

• Number of failed attempts allowed —In Active Directory (AD), 
we have the option to lock out an account after a certain num¬ 
ber of failed logon attempts. In EAS, we get the option to force 
a device erasure after a user enters the wrong password a speci¬ 
fied number of times. 

• Minimum password length —As its name implies, the Minimum 
password length option lets you set a password length from 4 to 
18 characters. 
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• Time without user input before password must be re-entered (in 
minutes) —The Time without user input before password must be 
re-entered (in minutes) option controls how long the mobile phone 
must be idle before the user is prompted for a password when 
trying to unlock it. On most clients, this setting is a floor. That is, 
if you set this value to 10 minutes, and the user separately sets a 
device lock time of 5 minutes, the shorter of the two times is used. 

• Password expiration (days) —The Password expiration (days) set¬ 
ting controls how long the user-selected password remains valid 
before it must be changed. This is a tricky setting: Users hate 
forced PIN changes, so enabling this setting is likely to generate 
some discontent, especially because users seem to be less likely 
to write down their PINs in the way that they might write down a 
complex AD password. 

• Enforce password history —You can use the Enforce password history 
setting to prevent users from reusing previous device passwords. 
However, because there’s no way to expire the device passwords as 
you can for AD passwords, this capability isn’t terribly useful. 

Sync Settings tab. The controls on the Sync Settings tab (Figure 3) 
control what the device is allowed to do when it synchronizes. You 
can limit the number of days worth of calendar items or email that 



Figure 3 

EMC Properties 
Sync Settings Tab 
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can be synced to the device, although most mobile clients have bet¬ 
ter controls for selecting how much email is synchronized and from 
which folders. The two most interesting controls on this tab are the 
Allow Direct Push when roaming check box, which controls whether 
devices that are roaming away from their normal cellular carrier net¬ 
work are allowed to use push email, and the Allow attachments to be 
downloaded to device check box, which gives you a way to keep users 
from downloading potentially sensitive attachments. 

Device tab. Mobile-device hardware has changed a lot over the past 
several years. Even low-end devices now usually have high-resolution 
cameras, Bluetooth audio streaming, and other features that once were 
reserved for high-end devices. Not every organization wants all these 
features to be available to users. Some customers, such as parts of the 
US federal government, solve the problem by buying devices that don’t 
have the unwanted features; you can actually buy modern smartphones 
from which the camera has been removed. More often, though, organi¬ 
zations either tell users not to do certain things (e.g., bring cellphones 
into the lab) or use technical controls to try to block the actions. 

The controls on the Device tab (Figure 4) fall into the latter cat¬ 
egory. EAS provides a means for you to define a policy that blocks 

Figure 4 

EMC Properties 
Device Tab 
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certain device features from working ... if the device supports those 
policy settings. Many devices don’t, either because the policy setting 
doesn’t make sense (such as enabling the Allow infrared setting on 
iOS devices, which don’t have infrared [IR] ports) or because the EAS 
client vendor didn’t bother to implement support for the setting. If 
you’re depending on these controls as a major part of your mobile- 
device security strategy, be sure to confirm that your devices actually 
implement the policies you care about. 

Device Applications tab and Other tab. The two remaining tabs. 
Device Applications and Other, are vestigial, like your appendix. 
Microsoft added them to lay the groundwork for policy controls that 
would regulate which applications could run on managed mobile 
devices. However, no clients support this EAS feature. Companies 
that want to actively manage which apps their users are allowed to 
run have been buying dedicated mobile-device management solu¬ 
tions, so there’s been little demand for a fuller implementation of 
this feature. 

EAS and Remote Wipe 

Being able to remotely erase a lost or stolen device is a great secu¬ 
rity feature, provided you don’t mind erasing the entire device and 
not just the portion of data belonging to the organization. There 
are two primary ways to initiate a remote wipe: The user can do it 
through ECP, or the administrator can do it through EMC. In either 
case, the wipe process itself requires that the device receive the 
command, meaning that the wipe won’t happen until the next time 
the device wakes up and attempts to sync with the server. There¬ 
fore, a lost device that runs out of battery power doesn’t execute the 
wipe command until it’s recharged. The device isn’t supposed to 
give the user a chance to opt out of the wipe operation, either. Keep 
in mind that Exchange can show you when the wipe was requested, 
but it will only display an acknowledgement of the wipe command 
if the device returns one. 
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The Future of EAS 

Because Microsoft has built EAS support into the built-in Windows 8 
Mail client and Outlook 2013, and because of the huge installed base 
for EAS, it’s safe to bet that EAS will be around for the long term. It’s 
interesting to see how the OWA team has been positioning OWA in 
Exchange 2013; it’s designed to work better than previous versions on 
tablet and mobile devices, and it offers offline support. The existence of 
a Microsoft-provided rich mobile client will hopefully induce Apple, the 
various Android OEMs, and even the Windows Phone team to step up 
their game and deliver more of the functionality already specified in the 
EAS protocol. There are encouraging signs that Windows Phone 8 will 
feature improved EAS support, although Microsoft hasn’t yet released 
any details. It’s also possible that we’ll see some improvements in the 
EAS protocol itself, such as a means for EAS devices to access Exchange 
personal archives. No matter how Microsoft changes the base protocol, 
though, being familiar with how to administer EAS devices is an impor¬ 
tant part of running an Exchange organization. ■ 

InstantDoc ID 144060 
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Getting Started with Windows 
Server Virtual Machines on 
Windows Azure IaaS 

This free solution is straightforward and easy to use 


A s the IT community continues to adopt more cloud offerings, 
cloud services vendors are expanding their portfolio of prod¬ 
uct offerings to meet the needs and desires of their clients. 
One prime example is Microsoft Windows Azure. 

Previously, Windows Azure was purely a Platform as a Service 
(PaaS) offering, providing storage, compute, relational database ser¬ 
vices, and so on. Compared with other cloud vendors that offer Infra¬ 
structure as a Service (IaaS), such as Amazon with Amazon Web 
Services (AWS), Windows Azure’s PaaS-based design meant that you 
couldn’t create a virtual machine (VM) from a library of VMs and 
then install any applications and services that you wanted on it. For¬ 
tunately, this is now changing. 

Just as I did in “ Getting Started with Windows Server on Amazon 
Web Services ,” in this article I focus on getting a Windows Server 
2008 R2 VM running on Windows Azure’s IaaS offering and con¬ 
necting to it via Microsoft RDP. Getting started with Windows Azure 
IaaS is easier than you might think—and very cost effective. At the 
time this article was written, Microsoft was offering a 90-day trial of 
Windows Azure. 



Michael 

Dragone 

is a contributing editor for 
Windows IT Pro and an 
infrastructure engineer. He 
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Messaging, MCTS, and MCITP 
credentials and remembers 
when Windows IT Proms 
called Windows NT Magazine. 

Email 



First Things First 

The first thing you’ll need is a Microsoft account, which you probably 
already have. Formerly known by other names such as Windows Live 
ID and Microsoft Passport, these accounts are commonplace if you’ve 
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Figure 1 

Creating the Azure 
Portal 


done just about anything with a Microsoft website. If not, you can 
head over to http://account.live.com to get one. 

I already had a Microsoft account that I planned to use, so I was 
able to skip this step and simply go to the Windows Azure website . 
Once there, I clicked the inviting Free trial button in the upper-right 
corner of the site. From there, I read about the free trial offering and 
clicked try it free to get started. I then signed in with my Microsoft 
account and was prompted to create an associated Windows Azure 
account for my 90-day trial. I was required to enter a major credit 
card number in case my usage went beyond the trial limitations. I 
also needed to provide a telephone number to receive a phone call or 
SMS message with a one-time authorization code. Likewise, I needed 
to enter my billing information. If you’ve bought anything over the 
Internet in the past decade, this will all be familiar to you. 

After entering my information, I received a message indicating that 
my Windows Azure subscription was being created. After approxi¬ 
mately 5 minutes I received an error message stating that a feature 
couldn’t be activated. I was at first unsure how to proceed, so I went 
back to the Windows Azure website and attempted to log in. Fortu¬ 
nately, I was still able to access the Azure portal, as Figure 1 shows. 
But it wasn’t the Modern UI (formerly known as Metro) style that I 
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was expecting. I had been viewing some Azure-related videos earlier 
and they all had a different UI, which apparently is still in a preview 
stage. Switching to the preview portal was easy: I just clicked Visit the 
Preview Portal at the bottom of the page. 

Configuration 

Once bathed in Modern UI goodness, as Figure 2 shows, I was unable 
to find any way to create my new VM. I was expecting to see a Virtual 
Machines link on the left of the page but did not. I elected to click the 
large New button on the bottom of the screen and from there found 
out that the VM offering is still in a preview phase as well. However, 
signing up for the VM preview was easy, too. I clicked Try It Now next 
to Virtual Machine and Virtual Networks. 



Access to the preview program was limited, and I had to wait approx¬ 
imately one week before I received an email stating that I now had 
access. (Be aware that you might or might not have a wait time, and 
that it might vary, depending on your individual circumstances.) After 
gaining access, I clicked the Virtual Machines link on the left side of 
the Azure portal and was told that I had no VMs, as Figure 3 shows. 

I clicked the Create a Virtual Machine link and was presented with 
an easy-to-follow screen for creating my new VM, as Figure 4 shows. 
I gave the VM a DNS name of testvm-md.cloudapp.net, selected a 
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Figure 3 

Starting Without VMs 
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Figure 4 

Creating a NewVM 



virtual machines 
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You have no virtual machines. Create one to get started! 

awMWiui.W'V © 



Server 2008 R2 SP1 image from August 2012, set a password, and 
changed my location from West US to East US, because I’m on the 
East Coast of the United States. (For those of you using Windows 
Server 2012, that OS is also available.) I left the size set as Small; I 
didn’t expect to go beyond the limitations of one processor core and 
1.75GB of memory for this test VM. 

After clicking Create Virtual Machine, I received a message stating 
that the VM was “Starting (Provisioning).” While this was occur¬ 
ring, I poked around the Azure portal and noticed that the necessary 
Windows Azure storage for my VM was being created automatically. 
I also examined my new VM from within the portal and was able to 
see details such as the number of cores assigned. Azure storage being 
used, DNS name of the VM, IP addresses, and so on. After 3 to 5 min¬ 
utes of waiting, I noticed that the newly created storage was online. 
Shortly thereafter I received a message that my VM was “successfully 
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created.” The VM’s state was then listed as “Running (Provisioning).” 
I waited for the status to change to “Running” before eagerly clicking 
the inviting Connect button at the bottom of the page. 

Clicking this button downloaded an RDP file that was preconfig¬ 
ured to connect to testvm-md.cloudapp.net on the standard RDP port 
3389. Double-clicking the RDP file to run it, I was prompted to enter 
the password for the Administrator account that I had created earlier. 
After accepting some certificate warnings—which I was expecting to 
see, because this was a test VM and I hadn’t configured any third- 
party certificates (or any certificates, actually)—I was logged on to 
the VM and was greeted with the familiar Server Manager screen, 
seen after an installation of Server 2008 R2. 

After exploring for a few minutes, I logged off from my VM by using 
the Start, Log Off option. I then shut down the VM in the Windows 
Azure portal. The VM’s state changed from “Running” to “Stopping.” 
Shortly thereafter, I received a message stating that the VM was suc¬ 
cessfully shut down but would still incur charges because it would 
continue to consume resources (e.g., storage, IP address). Because 
I created this VM only to test Azure, I elected to delete the VM, its 
Virtual Hard Disk (VHD—found within the Disks area of the Virtual 
Machines link), and the underlying Azure storage that was automati¬ 
cally created. Because my DNS name of testvm-md.cloudapp.net was 
no longer tied to a VM, I found it sitting within the Cloud Services 
area and deleted it, as well. 


Getting started 
with Windows 
Azure laaS is easier 
than you might 
think—and very 
cost effective. 


Check It Out 

Even though this part of Windows Azure is still in a preview phase, I 
came away impressed with Microsoft’s IaaS offering. Compared with 
AWS, I found getting going quickly on Windows Azure to be far more 
straightforward, and I believe other IT pros will agree. Although Win¬ 
dows Azure overall isn’t currently as full-featured as AWS, there’s 
much potential in this IaaS offering. ■ 
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INFORMATION TECHNOLOGY 


Turkish Company Delivers 
Innovative Banking Solutions 


Intertech, a major banking software develop¬ 
ment company in Turkey, provides 15 banks 
with innovative core banking solutions. 
In addition, Intertech's areas of exper¬ 
tise include Business Process Management 
(BPM), Alternative Distribution Channels 
Management (ADC), Customer Relation¬ 
ship Management (CRM), Data JVarehouse 
(DWH) and Business Intelligence (BI) 
solutions. Intertech offers professional ser¬ 
vices with its customer-oriented approach, 
experienced staff, innovative and dynamic 
management team, organizational structure, 
and knowledge of the modern market needs. 



A mong the technology that businesses 
need to grow and gain competitive 
advantages, a few need more expertise 
than deploying virtualization and its 
underlying hardware and management infra¬ 
structure. Finding a business partner that 
a company can work with to translate its 
business needs and visions into the techni¬ 
cal solutions that are necessary to drive that 
vision can be a difficult task. This is especially 
true when you need to evaluate a wide range 
of solutions from a variety of vendors. The 
competencies necessary to effectively trans¬ 
late business needs to technical solutions need 
to readily be at hand for a company's technical 
partner to be effective and successful. 

With virtualization and private cloud as 
the key to an agile and responsive business 
environment it is critical that businesses have 
technology partners that understand their 
needs. Simply layering applications on top of 
the latest in server and storage technologies or 
deploying the newest server and client operat¬ 
ing systems isn't enough. Getting value from 
these investments in technology means that 
a business has to be able to take advantage of 
the synergies that an integrated infrastructure 





designed to support their business needs and 
future growth can deliver. 

These capabilities are part of what made 
Intertech a natural fit for fast-growing Turk¬ 
ish financial institution DenizBank, and 
they are part of what made Intertech an HP- 
Microsoft Frontline Partner of the Year 2012. 
The other part of the puzzle for DenizBank 
was Intertech's Inter-Next core banking 
platform. The cloud-distributable 
banking specific application is a 
CRM-driven sales and service plat¬ 
form built on Microsoft .NET and 
SQL Server technologies. Intertech 
is committed to delivering cloud- 
based services to DenizBank and 
future bank customers. 

When DenizBank made the decision, as sug¬ 
gested by Intetech, to move to a Windows 
Server 2008 R2 Hyper-V environment they 
were able to also take advantage of the new 
Microsoft System Center 2012 management 
suite. The bank's decision was driven by the 
capabilities of System Center, and the addition 
of new features in System Center 2012, such as 
the automation offered by Orchestrator. With a 
basic infrastructure of 64 Hyper-V hosts with 
more than 800 VMs, DenizBank is using Sys¬ 
tem Center Virtual Machine Manager. 

To build the underlying hardware infra¬ 
structure needed for servers, networking, and 
storage DenizBank and Intertech looked to 
HP. The core Hyper-V host servers are a mix 
of ProLiant BL460 G6 blade servers. The 


cloud infrastructure uses HP BladeSystems, 
HP Virtual Connect Enterprise Manager 
management software, HP Virtual Connect 
Flex-10 Ethernet modules, and Virtual Con¬ 
nect SAN modules. Utilizing the Virtual 
Connect modules allowed for the virtualiza¬ 
tion of both networking and storage, enabling 
the entire infrastructure to be optimized for 
cloud deployment and enhanced performance. 

The current infrastructure is 
designed to support as many as 1500 
VM instances, and is hosting many 
of the bank's production applica¬ 
tions as cloud services. This includes 
the bank's CRM application, several 
large SQL Server 2008 databases 
that contain more than 10 terabytes of data, 
and the SharePoint Server 2007 installation 
that is the company's main access portal for 
daily use by over 12,000 employees. 

The end result of the Intertech/Deniz- 
Bank project is a highly efficient, customer 
optimized, workflow infrastructure that has 
provided significant savings by reducing the 
need for datacenter expansion, provided faster 
response to business needs, and improved 
the availability of IT services and applica¬ 
tions. DenizBank also expects the simplified 
management, and ease of support of the cloud- 
based services to allow their internal IT staff 
to focus on R&D, allowing them to maintain 
a technical advantage over their competitors 
while providing a fast and responsive infra¬ 
structure to better serve customer needs. 
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splunk 


Wilocity ■ 


Product News 
for IT Pros 

Splunk Launches Splunk Enterprise 5 

Splunk announced the general availability of Splunk Enterprise 5, a 
faster, more resilient version of the company’s flagship product. The 
latest release includes added features to create a powerful platform for 
developers building big data applications. “Even as data volume and 
complexity are growing exponentially, the time people are willing to 
wait for answers is shrinking,” said Guido Schroeder, Splunk’s senior 
vice president of products. Reports are up to a thousand times faster, 
and dashboards are easier to navigate and share with Splunk Enter¬ 
prise 5. Dynamic drilldowns integrate simple workflows, providing 
a more intuitive user experience. Integrated PDFs enable reports or 
dashboards to be shared with anyone on demand or on a scheduled 
basis. Splunk Enterprise 5 also contains significant platform features 
to drive greater extensibility, modularity, and interoperability. For 
more information, check out the Splunk website . 

Wilocity WiGig Technology to Power Multi-Gigabit 
Wireless Connectivity in Dell Ultrabook 

Wilocity announced that it is jointly providing tri-band wireless chip- 
sets with Qualcomm Atheros for Dell’s first WiGig-enabled Ultra¬ 
book for business, the Latitude 6430u. WiGig technology represents 
a new and major step forward in the wireless mobile experience by 
allowing data transfer rates that are over 10 times faster than current 
Wi-Fi technologies. Wilocity and Qualcomm Atheros’ tri-band system 
allows Ultrabook users to connect to peripherals such as docks, dis¬ 
plays, and storage at multi-gigabit speeds, while maintaining standard 
Wi-Fi coverage throughout the enterprise. The Dell Latitude 6430u 
incorporates Wilocity’s implementation of the WiGig Wireless Bus 
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Extension, realizing the vision of a thin and light platform that can 
achieve the performance levels of—and access all the interfaces of—a 
much larger platform. When combined with a Dell WiGig-enabled 
docking station, which will also be powered by Wilocity, the Latitude 
6430u will wirelessly connect with a wide range of I/O devices, such 
as external graphics processing, storage, peripherals, and expansion 
slots. For more information, see the Wilocity website . 

TITUS Mobile Secures Corporate Information 
on Mobile Devices 

TITUS introduced TITUS Mobile, an easy-to-use mobile email security 
solution. TITUS Mobile is a secure email app that keeps employees’ 
personal and business email separate, helping organizations protect 
corporate email on mobile devices. It’s a container that allows users 
to securely view email and attachments on their mobile device, while 
not keeping information on the device. Not only is TITUS Mobile easy 
to adopt and deploy, it is mobile device management (MDM)-friendly, 
and it can be an integral part of any corporate mobile strategy. Based 
on the proven Microsoft Exchange Server email foundation, TITUS 
Mobile deploys quickly and easily on your existing Exchange infra¬ 
structure, and it can be easily added to a user’s iPhone or iPad without 
requiring it to be downloaded from an app store. For more informa¬ 
tion, visit the TITUS website. 


(T)titus 


Cypherix Encrypts Any Data, Any PC, Any Media 

Cypherix announced the release of its Cypherix LE 10.0 encryption 
software. Cypherix LE encrypts any type of data on any Windows 
PC on any kind of media. Specially tailored to address the security 
and privacy needs of the average PC, Cypherix LE combines ease of 
use and simple drag-and-drop operations. Its powerful 448-bit strong 
encryption ensures total security with zero learning curve. The new 
version contains several useful features, bug fixes, and enhancements, 
including the following: Cypherix is compatible with all 32-bit and 
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64-bit versions of Windows, including Windows 7 and Windows 8 ; 
the UI has been redesigned so that you can have several volumes open 
at the same time within one window; and due to popular demand, 
the volume size has been upgraded to support multiple-terabyte vol¬ 
umes. For more information, check out the Cypherix website . 


SPECOPS 


Specops Software Fully Automates Windows 8 and 
Windows Server 2012 Deployment 

Specops Software announced that it has updated Specops Deploy to 
support Windows 8 and Windows Server 2012 . Specops Deploy 4.7 
makes it easier than ever to achieve full automation for all OS and 
application installations, including the new Modern UI style appli¬ 
cations in Windows 8. Specops Deploy 4.7 is an Active Directory 
(AD)-integrated deployment system that runs within the existing infra¬ 
structure and is capable of quickly installing or reinstalling Windows 
and any necessary applications whenever the need arises. Together 
with the Specops Self-Service Portal, Specops Deploy also makes it 
possible to find the right balance between user-driven and centralized 
application and service management. The Self-Service Portal allows 
end users to request applications and services as necessary, and it 
includes an approval workflow where managers can approve or deny 
requests from their own users. Although many of the features in the 
new release are focused on Windows 8 and Server 2012, Specops 
Deploy works just as well with older versions of Windows. For more 
information, visit the Specops Software website . 


/pi) PUn Virtual PHD Virtual Provides Efficient Backup Solutions for 
tIILUuI Enterprise Environments 

PHD Virtual Technologies announced the viability of its solutions for 
large enterprise environments as well as small businesses with grow¬ 
ing data storage, backup, and recovery needs. PHD Virtual Backup 6.0 
gives customers of all sizes the scalability and flexibility they need, but 
for large enterprises, these products make backup processes easier to 
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manage and more efficient, while also providing fully recoverable data 
at a moment’s notice. They also consume the least amount of over¬ 
head and capital when compared with other products on the market 
and provide encrypted data protection that is required at larger enter¬ 
prises. PHD Virtual benefits for large enterprise environments include 
complete or partial restorations, TrueDedupe technology (deduplica¬ 
tion and compression of the source data are performed before sending 
the information across the WAN/LAN and before the data is written to 
disk), a parallel processing model, and fault-tolerant scaling. For more 
information, see the PHD Virtual Technologies website . 

SecureAuth Improves SharePoint Integration and Security 

SecureAuth announced an enhancement to SecureAuth IdP that 
frees SharePoint administrators, integrators, and resellers from 
being restrained to authenticate users physically on an enterprise 
domain or having to obtain enterprise domain access via cum¬ 
bersome VPN connections and thick clients. In its latest product 
enhancement, SecureAuth IdP integrates two-factor authentication 
and WS-Federation support so that enterprises can offer SharePoint 
files and apps to mobile users, partners, suppliers, and customers 
who don’t use the enterprise’s domain. This product enhancement 
offers developers a secure and more robust method of authentica¬ 
tion than NT LAN Manager (NTLM) or Kerberos. SecureAuth IdP 
with WS-Federation lets enterprises locate their datastore and serv¬ 
ers anywhere, including with cloud identity management services 
that host the datastore; offers abstract authentication workflow with 
two-factor authentication to offer stronger security; and enforces 
authorization based on pre-existing groups established by the enter¬ 
prise’s access management policies. For more information, visit the 
SecureAuth website. ■ 
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Delivering Cloud Services Where Needed 

OCSL, a leading UK Systems Integrator, was nominated as the HP and Microsoft Frontline Part¬ 
ner (FLP) of the Year by the joint Microsoft and HP Partner Account Manager team members who 
oversee and manage OCSL. OCSL was chosen as the winner after review by the FLP management 
team because the win encompasses a good Microsoft/HP private cloud solution and highlights the 
joint solutions Microsoft and HP are offering clients in the current marketplace. Andrew Morlidge, 
HP Alliance Director at Microsoft, says, “We have had an extremely close relationship with OCSL 
for several years. As an award-winning partner they have the skills, experience and access to expertise 
within Microsoft to deliver a first-class service to our mutual clients. Fd highly recommend them.” 

In addition to being awarded FLP of the Year, OCSL won Microsoft UK Country Partner of the 
Year at the 2012 Worldwide Partner Conference. OCSL is a leading UK HP partner holding the 
status of Converged Infrastructure Partner of the Year. You can contact OCSL (www.ocsl.co.uk) by 
phone (01403 708999) or email (info@ocsl.co.uk). 


T o provide the necessary level of reliabil¬ 
ity and flexibility to its customers, OCSL 
delivers a combination of HP servers 
and storage and Microsoft virtualization 
and systems management that enables 
their customers to build and deploy 
cloud-based solutions to meet their 
current and future needs. With a goal 
of delivering end-to-end solutions 
that give customers maximum per¬ 
formance, reliability, usability, and flexibility, 
OCSL builds customer solutions that deliver 
the best possible Infrastructure as a Service 
(IaaS) experience. 

Embracing the HP-Microsoft Infrastructure 
to Application model (12A) places the focus on 
delivering the best possible application perfor¬ 
mance, while making sure that the applications 


and their delivery are robust and reliable, with 
the availability necessary for the customer to 
get their jobs done. This means that, from a cus¬ 
tomer perspective, everything just works—with 
the vendor providing turnkey solutions 
that directly address their business 
needs, for hardware and software. 

And while application software and 
its delivery are key elements, the under¬ 
lying infrastructure requires matching 
operations management tools. This plays into 
HP’s strengths with their long history of excel¬ 
lent hardware systems management tools such 
as HP Insight. But hardware management is 
only one side of the coin, and Microsoft System 
Center and Hyper-V provide the broad range of 
management and virtualization capabilities nec¬ 
essary to deliver a state-of-the-art platform. 


innovation 


frontline partner of the year 


j Microsoft 








Accepting the Frontline 
Partner of the Year award for 
OCSL are (L-R) Jesse Chavez, 
VPWW Channel Sales and 
Alliances, Enterprise Group at 
HP; Mark Skelton, Microsoft 
Practice Leader OCSL; Mark 
Tennant, PBM at Microsoft; 
Geoff Nyheim, VP WW SMS&P 
Corporate Accounts and 
Partner Sales Microsoft. 


solution means that provisioning 
or re-provisioning servers, stor¬ 
age, and connectivity can be as 
simple as applying a previously 
created template that defines the 
new business need in terms of 
the resources required. It can 
make use of a self-service portal 
that gives them the simplicity of 
a pick-and-choose menu when 
selecting or defining the capabil¬ 
ities that they need to provision 
and the tasks can be accom¬ 


IaaS is a core component of 
the cloud computing experience. 

It requires highly reliable vir¬ 
tualization, solid hardware for 
both servers and storage, and 
the tools necessary to deliver 
computing services to the end 
user. To this end, HP delivers 
the HP CloudSystems Matrix, 
which enables the rapid pro¬ 
visioning of the customer's 
applications throughout their 
cloud enterprise. Through 
OCSL, the Matrix delivers HP blade systems 
running Microsoft Windows Server 2008 with 
Hyper-V, the HP Matrix Operating Environ¬ 
ment, and HP Cloud Service Automation. 

With this combination of hardware, systems 
management, and applications software, it's 
possible to predefine a broad range of config¬ 
urations that will meet a customers business 
needs. Changes in those needs are more eas¬ 
ily accommodated because the flexibility of the 


plished in minutes, rather than the days that 
such tasks may have taken before the implemen¬ 
tation of the internal cloud services. 

The convergence of all of these components 
has a single goal; to make business more effi¬ 
cient. From that improved efficiency grows all 
of the other benefits that a growing and cut¬ 
ting-edge business can use to make sure that 
they don't simply keep up with the competition 
but can lead the way. 


South Tees Hospitals 

NHS- Found 3TrDn TlLl^t 


NHS 


A Solution for South Tees Hospitals 

South Tees Hospitals NHS Foundation Trust provides general hospital 
services for 400,000 people in the North East of England, and special¬ 
ist services to 1.5 million people. The Trust manages two hospitals: the 

James Cook University Hospital in Middlesbrough and the Friarage Hospital in Northallerton, North Yorkshire. 


OCSL implemented a Microsoft/HP Private Cloud Solution to meet the challenges faced by the South Tees 
Hospitals NHS Foundation Trust. New virtualization servers were installed and the first 20 of the existing 
servers were virtualized to run on Hyper-V. This also included an implementation of the Microsoft System 
Center Virtual Machine Manager (SCVMM). The Microsoft solution has cut expected downtime by a factor 
of three. If required, South Tees can now be up and running within minutes. Anthony Jackson, ICT Senior 
Systems Administrator, said, “Virtualization was something we just had to do due to the lack of space and 
power resources. We found the Microsoft solution to be a more cost-effective route than the alternatives, 
and more compatible with other systems." 
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TransVault Insight 

T rans Vault Software is well known for its archive migration prod¬ 
uct TransVault Migrator. However, it has now branched out into 
PST management and migration. As most Microsoft Exchange 
Server administrators know, PSTs can be a challenge to manage. Many 
projects to import PSTs into an archive are started but never com¬ 
pleted simply due to the complexity, time, and resources required to 
gather and import all the data. TransVault Insight provides a variety of 
options to help manage PSTs and remove them when necessary. 

The product offers a wealth of features, which is essential given 
that there are already free tools from Microsoft to enable moving 
PSTs to the cloud and to on-premises Exchange servers. In particular, 
TransVault Insight has been designed for scalability in the large enter¬ 
prise. Its modular architecture allows it to be installed on a single 
server for smaller shops or broken down into components and scaled 
across a distributed network. It also has a range of enterprise-ready 
features, such as the ability to work well across low-bandwidth links, 
compute a PST’s owner from sent and received data, and import PST 
files, including those that are password-protected. 

Other than its scalability, what really sets TransVault Insight apart 
is its ability to not only import PSTs to the majority of modern mail 
systems but also manage PSTs in situ. This is achieved by process¬ 
ing against the individual items in each of the PST files rather than 
against the file as a whole. Because you can analyze PSTs while they 
reside on the client, you can make informed decisions on what to 
import, what to delete, and what to leave in place—all of which can 
be carried out through the administration console. 

TransVault offers two versions of its software. One version is for 
those organizations that want to simply investigate and report on 
PSTs. The other version is for organizations that want to investigate, 
report on, and manage PSTs by removing or migrating content. 
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Installation 

Because TransVault Insight is a modular system, you need to install 
several different components. The first step is to take a look through 
the Help file. This well-written, informative guide gives you a decent 
understanding of the product. 

Next, install the Master service, which is the coordination point for 
all operations. This service talks to a database, which must run on SQL 
Server 2008 or later. One minor issue I found was that the Master ser¬ 
vice installer didn’t create the correct database permissions. This is doc¬ 
umented in the Help file, but it would be nice to have it taken care of. 

Now, request and install the license key by running the License Request 
Generator tool. After you receive the license file from TransVault, you 
must copy it to the main Master directory and restart the Master service. 

To complete the setup, you need to deploy and register one or more 
controllers and agents. Controllers manage all the agents in a loca¬ 
tion and process the PSTs, uploading the results of commands to the 
Master service. Controllers also provide an integration point with 
Exchange and Office 365. 

Agents execute commands and send results back to the control¬ 
ler. There’s flexibility in how agents are deployed. In a small site, 
you can simply install an agent on the controller machine. In a large 
enterprise with remote sites, you can roll out agents on individual 
PCs, which gives greater control and allows for advanced functions, 
such as the discovery of open and locked PSTs through the use of the 
Windows Volume Shadow Copy Service (VSS) on each PC. 


What really sets 
TransVault Insight 
apart is its ability 
to not only import 
PSTs to the 
majority of modern 
mail systems but 
also manage PSTs 
in situ. 


Operation 

TransVault Insight is controlled from its administration console. As Fig¬ 
ure 1 shows, the console provides a simple dashboard-like view of key 
system elements (e.g., controllers, agents) and ensures that you know 
the total volume of PSTs being managed and the status of your policies. 

In the administration console, the locations where you deployed 
the agents during the installation process are automatically defined 
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Figure 1 

TransVault Insight's 
Administration 
Console 
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as Dynamic Locations. You can also add other locations (e.g., file 
shares) where PSTs might be stored. These are defined as Static Loca¬ 
tions. For the various locations, you can configure TransVault Insight 
to scan the entire PC through administrative “$” shares or scan spe¬ 
cific directories if you’ve already centralized the PSTs. 

One nice touch is that you can import a list of locations from an 
LDAP directory or comma-separated value (CSV) file. This feature 
lets you, for example, import all the client machines in your domain. 
Similarly, you can import a list of users from an LDAP directory or 
CSV file, then compare the users against the contents of PSTs. 

At this point, you could use commands to process and investigate 
PSTs, but it’s wise to consider using policies. For example, you can 
create policies that analyze data by age, attachment (e.g., Microsoft 
Word or Excel file), body content, and content in the Subject, To, and 
From fields. You can also use policies to both migrate selected PST 
content and manage PST content in place, ensuring that data is held 
in accordance with company regulations. 
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TransVault Insight 


After you configure the required locations and policies, the next step is 
to set up the commands. Commands do the actual work. They include: 

• Scan (i.e., gather information about PSTs) 

• Delete (i.e., remove messages from PSTs or delete whole PSTs) 

• Rehydrate (i.e., extract and repopulate archived stub files into the 
PST before collection when used with TransVault Migrator) 

• Collect (i.e., import PSTs to a messaging platform) 

To begin, you’ll probably want to scan the various locations in order 
to find and understand any problems. Then, you can use the other 
commands to fix or process the problematic PSTs. Commands can be 
manually run, scheduled to run at a specific time, or configured to run 
immediately after another command has completed. When setting up 
the commands, you have a wide range of options to customize how 
they run. For example, you can use the Simulation mode to validate 
what would occur with a Delete command, set a scope to limit a com¬ 
mand to specific locations, or specify a policy so that only messages 
affected by the policy are processed. You can also specify how to deal 
with open PSTs. Your options include automatically shutting down 
Outlook or using the PC’s agent to capture the PST by means of VSS. 

In TransVault Insight, reporting is straightforward and easy to under¬ 
stand. There are four pre-canned reports, including a general overview 
report and an activity report that shows the commands run over a cer¬ 
tain time period and a summary of the commands’ results. It doesn’t 
appear to be possible to create your own reports, although I suspect you 
could query the SQL Server database if you needed a custom report. 

A Fully Featured PST Tool 

TransVault Insight is a fully featured PST management and migration 
tool that has been designed for scalability. Its ability to not only migrate 
PSTs but also centrally monitor and manage data through policies could 
be very useful to organizations where PSTs haven’t been eradicated. ■ 
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TransVault Insight 


PROS: Simple, well-presented 
administration console; wide 
range of features; manages PSTs 
in situ as well as migrates them 

CONS: Minor irritations during 
installation 

RATING: irkirkix 

PRICE: The following net 
prices are inclusive of launch 
discount and first year's support 
and maintenance: TransVault 
Insight (scan and report capa¬ 
bilities only) is $2.80 per user 
(1 to 1,000 users) or $1.54 per 
user (1,001 to 10,000 users); 
TransVault Insight Manage 
(scan, report, and management 
capabilities) is $8.40 per user (1 
to 1,000 users) or $4.62 per user 
(1,001 to 10,000 users) 

RECOMMENDATION: 

TransVault Insight is a full- 
featured and well thought-out 
PST management and migra¬ 
tion tool. For ongoing PST 
management or large-scale PST 
migrations, you should evaluate 
TransVault Insight. 

CONTACT: TransVault Software • 
646-808-0407 
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Workshare Point 

T here are many products on the market aimed at promoting 
Microsoft SharePoint adoption. They strive to better integrate 
SharePoint functionality into Microsoft Outlook (and other 
Microsoft Office applications) by giving users everything they need to 
manage SharePoint documents without leaving Outlook. Workshare 
Point is one of those products. But does it have anything that’s going 
to make it stand out from the crowd? That’s what I wanted to find out 
when I tested it recently. 

Installation and Setup 

Workshare Point works with Office 2010 SP1 and Office 2007 SP3. It 
runs on Windows 7, Windows Vista SP2 or later, and Windows XP 
SP3 or later. On the server side, Workshare Point supports SharePoint 
Server 2010, SharePoint Foundation 2010, and Office 365. 

You install Workshare Point using a Windows Installer (.msi) file, 
which you can distribute using Microsoft System Center Configuration 
Manager (SCCM), Group Policy, or a similar technology. Although the 
Workshare website states that Microsoft .NET Framework 4.0 is the 
only prerequisite, the product also requires the Microsoft Visual C+ + 
libraries, Visual Studio 2010 Tools for Office Runtime, and Office Pri¬ 
mary Interop Assemblies. Fortunately, Workshare Point checks for 
these prerequisites and will download and install them if they aren’t 
present. Setting up Workshare Point is simple and only requires the 
URL of the SharePoint site that you want to work with. 

Workshare Point includes a simple configuration manager applica¬ 
tion that you can use to control integration with Office suite applica¬ 
tions. From within the configuration manager, you can perform some 
basic tasks, such as licensing, configuring UI options, and adding and 
removing SharePoint sites. You can also use the registry to add or 
remove SharePoint sites. 
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Outlook Integration 

Outlook integration is enabled by default. Unlike most other SharePoint 
plug-ins for Outlook I’ve worked with, Workshare Point isn’t relegated 
to just a sidebar. As Figure 1 shows, it introduces several components: 
• Matter View pane. By default, Workshare Point “replaces” Out¬ 
look’s Reading Pane with its own Matter View pane. (You can 
still view Outlook’s Reading Pane by pressing the arrow next to 
it.) The Matter View pane makes it easier to work with and navi¬ 
gate through SharePoint content. Matter is a legal term that refers 
to documentation connected with a legal practice and seems to 
be a rather strange label choice, because the term might not be 
understood by everyone. However, you can change the name 
of this pane if desired. The Matter View pane includes a search 
function, which works as expected. You can add columns to the 
pane and use conditional formatting to help find and organize 
documents. Workshare Point will automatically map email meta¬ 
data to SharePoint columns if the columns and mappings are 
defined in SharePoint. 
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Figure 1 

Outlook with the 
Workshare Point 
Plug-In 
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Unlike most other 
SharePoint plug¬ 
ins for Outlook I've 
worked with, 
Workshare Point 
isn't relegated to 
just a sidebar. 
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• Workshare Point sidebar. Even on a large screen, the Workshare 
Point sidebar, which sits under the main Outlook navigation bar 
on the left, is a little small to be easy to work with. 

• Preview pane. This pane is great for viewing content, without 
having to open a document. 

Besides these components, a Workshare bar has been added to 
the new email message window in Outlook. One of the Workshare 
bar’s options is the ability to file the email in a specified Share- 
Point folder after it’s sent. Workshare Point has a Pending Uploads 
folder, so if there’s a connectivity issue, email will still be filed in 
the SharePoint destination folder. The Workshare bar also includes 
a search option. 

You can drag and drop files from Windows Explorer to the Mat¬ 
ter View pane in Outlook. You can also drag and drop files from 
the Workshare Point sidebar or Matter View pane to Outlook emails, 
either as a file or link. The default drag-and-drop behavior is to add 
a file to an email as an attachment. If you want it inserted as a link 
instead, you press the Alt key while dragging the file. There’s also 
the option to right-click a SharePoint document and add it to a new 
email message as an attachment or link. However, if you’re selecting 
the option to add a SharePoint document as a link from the context 
menu on the Workshare bar from inside a new email message win¬ 
dow, Workshare Point will create a new email message—a behavior 
that seems a little awkward because it differs from the behavior of the 
drag-and-drop method. 

From time to time, Workshare Point loses connection to SharePoint. 
This is manifested in an inability to select a folder in the Workshare 
Point sidebar or empty folders in the Matter View pane. Server con¬ 
nection problems with the Workshare Point plug-in can also cause 
Outlook to freeze. This is the kind of problem that will drive users 
crazy, and quite rightly so. I also found Workshare Point’s connection 
to SharePoint a little slower than competing products. 
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Integration with Other Office Applications 

Workshare Point integrates with not only Outlook, but also Word, 
PowerPoint, and Excel. In these Office suite applications, Workshare 
Point adds Local Open and Local Save options to the File menu, which 
you use for opening and saving files on the local machine. Workshare 
Point also replaces the standard Office Open and Save options with 
its own Open and Save options, which you use to open and save files 
in a SharePoint site. With this setup, you can easily work with Word, 
PowerPoint, and Excel files both on the local machine and in Share- 
Point sites. 

Not Quite as Good as the Competition 

After using Workshare Point, I can say that it feels like a corporate 
in-house solution that’s been let out into the wild. As such, it suffers 
from a problem that applications created by in-house developers often 
have: a lack of usability. That’s not to say that Workshare Point is 
unusable, but it doesn’t feel as polished or as well thought out as com¬ 
peting products. My advice would be to look at the competition first 
or wait for the next major update if you want to use Workshare Point 
to take advantage of its integration with other Workshare products. ■ 

InstantDoc ID 144601 


Workshare Point 


PROS: Simple interface for 
working with SharePoint 
directly from Office applications; 
integrates with other Workshare 
solutions 

CONS: Some minor usability 
issues aren't a deal breaker but 
they put the product behind the 
competition; doesn't support 
SharePoint 2007 

rating :IrfrtrCrk 

PRICE: Subscription model 
starts at $49 per user 

RECOMMENDATION: 

With competitors out of 
the starting gate long ago, 
Workshare Point isn't quite as 
polished as similar products. 

I'd recommend waiting for an 
update to this software so it can 
receive a bit more polish. 

CONTACT: Workshare - 
888-404-4246 or 415-975-3855 
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Online Enterprise 
Backup Solutions 

What you should know before 
you jump into the cloud 

B ackups are hard work. You’ve probably tried multiple backup 
technologies (e.g., tape, disk), multiple employees to create 
and monitor backups, and multiple enterprise software tools. 
But backup and restore operations don’t always succeed. The stakes 
are high to get it right. As a fellow systems administrator confided, 
“No backup, and I might as well not come to work tomorrow.” Given 
the heightened importance of corporate data, considering new meth¬ 
ods to back up and store data is appropriate. 

Cloud-based backups have made major inroads into the consumer 
market recently. As online consumer backups have gained acceptance, 
a variety of offerings have popped up in the online enterprise backup 
space. Some of these offerings are from startup companies, but others 
are from companies with which you might already be doing business. 

With promises of unlimited backups and low prices, cloud back¬ 
ups might seem appealing, especially if you’re currently using onsite 
removable storage such as tape. However, before you jump into the 
cloud , you need to take a look at your current backup and restore 
requirements and assess your data portfolio from a security and vol¬ 
ume perspective at the very least. 

Pricing 

When it comes to online enterprise backup solutions, the way that the 
service is charged varies widely, making it hard to compare prices. For 
example, some providers charge per gigabyte based on usage, whereas 
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other providers charge in gigabyte ranges. Pay special attention to hid¬ 
den costs, such as the cost per device backed up, licensing cost per 
device, and the minimum fees per month to retain an account. 

With that said, it’s important to note that price is probably not the 
best qualifier to narrow down the list of online enterprise backup 
solutions to consider. The backup and restore features should really 
drive your evaluation of which solution is best for your company. 


Backup Features to Consider 

When evaluating cloud backup solutions, it’s important to consider: 

• Encryption. You probably want more than a place to dump files. 
Vendors offer various encryption levels (i.e., encryption strength), 
some of which are tailored to meet certain compliance needs. 

• Certified data center. If your company requires that data be stored at 
a certified data center, this feature needs to be at the top of your list. 

• Deduplication. A key feature that can reduce costs is deduplica¬ 
tion, which is a method to reduce data storage requirements by 
eliminating redundant data. Deduplication implementations vary, 
so testing reductions in backed up data is important. 

• OS and application support. The majority of cloud backup solu¬ 
tions support backing up most Windows versions and various 
Linux distributions. Many solutions also offer application-aware 
backups for popular Microsoft applications such as Exchange 
Server , SQL Server , and SharePoint . Virtualization-aware backup 
support varies considerably, with most solutions supporting at 
least VMware. Some solutions also support backing up Hyper-V 
and Citrix Systems virtualization environments . 

• Agents. Some cloud backup solutions require that you install 
agents to back up and recover data. 

• Onsite backup appliance. If the cloud is replacing your current 
backup environment, using an onsite appliance in a disk-to-disk- 
to-cloud (D2D2C) backup solution might give you peace of mind 
that your data is local. It might also improve backup performance 


With promises of 
unlimited backups 
and low prices, 
cloud backups 
might seem 
appealing. 
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and flexibility. However, there are some caveats. First, you need 
to consider the initial upfront cost of this device. In addition, 
you’ll need to spend some time installing and managing the local 
backup appliance. Finally, there could be a single point of failure. 
For this reason, checking the appliance’s guaranteed replacement 
time frames and the equipment warranty is crucial to ensure you 
don’t miss backups due to hardware failures. 

Restore Features to Consider 

Whether you need to restore a file or file system, the ability to eas¬ 
ily and quickly restore data is paramount. You need to consider the 
following restore features when evaluating online backup solutions: 

• Single web console. Having a single web-based management con¬ 
sole simplifies restore operations. 

•24 x 7 live support. In the event that you have an emergency 
restore, having 24 x 7 live support is a plus. 

• Onsite backup appliance. If you’re using an onsite appliance in 
a D2D2C backup solution and you need to restore data from a 
recent backup, the restore operation won’t affect your Internet 
bandwidth usage because the data is local. Plus, it’s typically 
much faster than an Internet restore. 

Check Out the Buyer's Guide Table 

Whether you’re looking to replace your current backup system, bol¬ 
ster your disaster recovery capability with offsite storage, increase the 
reliability of backups, or just dip your toe into the online enterprise 
backup arena, the Online Enterprise Backup Solutions Buyer’s Guide 
table will help you sort through the options. Approaches vary widely, 
so research the online enterprise backup solutions carefully. Trying 
out the solution is one of the best ways to see whether it’ll meet your 
needs, so the Buyer’s Guide table includes whether the various pro¬ 
viders offer free trials. ■ 
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Insights from 
the Industry 

Future Clouds Will Be Safe, 

Says Symantec 

What’s holding back cloud computing? If you’re a fan of The Simp¬ 
sons, as I am, your first thought might be that it’s all due to the 
Stonecutters secret society, which seems to control just about every¬ 
thing . After all, few people doubt that the concept of cloud computing 
makes sense and can provide business benefits in terms of increased 
agility, scalability, and cost savings. What reason could explain the 
slow uptake of the cloud other than a vast conspiracy? 

Perhaps I’m overstating this. In reality, businesses and IT profes¬ 
sionals have legitimate concerns about transitioning to the cloud. 
Although there are a number of specific concerns. I’d say they can 
all be boiled down to one basic underlying reason: lack of trust. Can 
the cloud provider’s security match on-premises security? Is data in 
the cloud safe, protected, and accessible in the event of litigation and 
e-discovery requests? Can the company meet its regulatory compli¬ 
ance goals with a cloud service? What’s does the business do if it 
can’t reach the service, whether from a failure within the service or 
some other Internet or communications outage? 

Any business contemplating cloud computing has probably con¬ 
sidered some if not all of these issues. Recognizing these needs, 
Symantec announced its vision for the future of the cloud at the Cloud 
Expo 2012 West. According to Symantec global cloud strategist Dave 
Elliott, up until now, security and availability in the cloud have been 
“afterthoughts and inhibitors,” but going forward they’ll be expected 
and built into the foundations of the various clouds businesses are 
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using. Elliott also discussed how the company’s portfolio of existing 
and new offerings will help enable “safe, agile, and efficient clouds” 
in the next five years. 

Several factors play into this change, not least of which is sim¬ 
ply increased maturity of the overall cloud infrastructure . Symantec 
describes a cloud computing future that encompasses multiple con¬ 
nected clouds, public and private, as well as virtualization and mobile 
computing. Although the architecture might sound more complicated, 
Symantec expects greater uptake of cloud computing in part due to 
the increased presence of digital natives in the work force and in part 
due to the clouds themselves being inherently safer. 

The cornerstone of Symantec’s message is safety in the cloud. 
The company announced several new or enhanced offerings for 
both cloud consumers and cloud service providers. The offerings 
include Symantec Endpoint Protection Small Business Edition 2013 
and Symantec Protection Engine for Cloud Services , which are aimed 
at enabling a more secure cloud experience. These new services go 
along with existing offerings such as Symantec O 3 , which is a cloud 
access platform that helps IT organizations control the flow of infor¬ 
mation in and out of the business. 

One of the most interesting programs Symantec has bundled with 
this overall cloud strategy is a new three-day training program, 
Symantec Cloud Security Essentials . This instructor-led course, 
developed in cooperation with the Cloud Security Alliance (CSA) , 
covers cloud computing industry trends and best practices as well 
as prepares attendees for Symantec certifications. As Elliott said, 
“Training equals confidence.” Knowing how to implement a safe, 
secure cloud infrastructure will give you the confidence to deploy it 
for your users. 

The safe cloud that Symantec envisions won’t come about through 
the efforts of any one company, as compelling as many of Symantec’s 
cloud offerings are. However, initiatives like the one that Symantec 
has launched are a great start at defeating the fear that might be 
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holding businesses back from investing in cloud computing. That is, 
unless it really does come down to the Stonecutters or some other 
secret society deviously influencing the development of the cloud. 

—B. K. Winstead 
InstantDoc ID 144736 


Exchange TechNet URL 
Updates Unwelcome 

Looking at the outcome of some decisions, you wonder whether the 
folks who made them are affected by the foods or drink they imbibe. 
This thought came into my mind with the juxtaposition of the recent 
vote to legalize marijuana in the states of Washington and Colorado 
and Microsoft’s recent announcement that it had revamped the URLs 
used for Exchange Server documentation in TechNet. 

The announcement stated: 



Starting today, if you’ve bookmarked an Exchange 2010 arti¬ 
cle in the library (for example, http://technet.microsoft.com/ 
en-us/library/bbl24558.aspx), it’ll take you to the Exchange 
2013 version of the article. 

On the surface, there’s not much you can complain about here. The 
Microsoft team has made sure that you get the latest possible infor¬ 
mation if you go looking for something related to Exchange. The team 
then goes on to say: 
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Note, if an Exchange 2013 version of the article does not exist, 
the URL will still take you to the Exchange 2010 version. 


All looks good until you start to consider the consequences. Con¬ 
sider the folks who aren’t employed by Microsoft and write about 
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its technology (like me, for instance). We don’t have the resources 
necessary to go through previous blog posts and articles to check 
that any embedded URL that points to TechNet content is still valid. 
So, any of the links to TechNet content in this blog ( Tony Redmond’s 
Exchange Unwashed ) or in my Thoughts of an Idle Mind blog have 
been magically redirected to Exchange Server 2013 content. Is this 
what I intended when I included the links in the blog posts? Not 
really. 

Could it be that Microsoft has nullified the complete body of 
Exchange blogging with one stroke? Not really, because the URLs 
still bring you to valuable content. However, readers have to be more 
aware about the material they view and make sure that the changes 
made in Exchange 2013 don’t impact what they’re trying to do with 
Exchange Server 2010 or Exchange Server 2007. 

For example, new versions of Exchange introduce object properties 
that had never existed before. It can be frustrating to read the descrip¬ 
tion of how to manipulate an object through the Exchange Manage¬ 
ment Shell (EMS) only to find that the particular property that seems 
to be appropriate for your purposes doesn’t exist in the version of 
Exchange that you’re running. This is just one example of how auto¬ 
matically sending you to updated material can get in the way. 

The Exchange team says: 

You can also get to the Exchange 2010 version of a particular 
article by appending version information ((v = exchg,141) for 
Exchange 2010) at the end of the URL, right before the file 
extension (.aspx). 

Providing the ability to focus in on version-specific material is a good 
idea, but I fear that adding the necessary version number to a URL is 
hardly something that comes naturally to the average or even not-so- 
average Exchange administrator. People like me can hardly remem¬ 
ber yesterday, let alone recall the format of the suffix including the 
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version number. (In this case, I assume that “141” means Exchange 
2010 SP2 as Exchange 2010 is version 14.) 

In summary, the idea of providing the most up-to-date material 
available is good, but this implementation is bad because of its impact 
on previous published material. There’s a possibility that everything 
will work “just right.” We shall see. 

I also think that pushing Exchange 2013 material down the pro¬ 
verbial throats of those who seek knowledge is just plain premature 
at this point. Exchange 2013 isn’t the version that’s being deployed 
today. It’s too new and the code necessary to allow it to co-exist with 
its predecessors isn’t available. Sure, people are looking for infor¬ 
mation about Exchange 2013, but wouldn’t you think that the vast 
bulk of current searches against TechNet are for Exchange 2007 and 
Exchange 2010 content? Sometimes I just wonder .... ■ 

—Tony Redmond 
InstantDoc ID 144781 
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Product of the Month 

We don’t know about your environment, but ours 
is full of liquid peril. We’re constantly dropping our 
smartphones in our coffee, in the lake outside our 
offices, or—worse—in the toilet. What do you do 
when a torrent of rain or another wet catastrophe 
befalls your phone? One answer is the BHEESTIE, a 
device that promises to save electronics from water 
damage. Simply open the moisture-blocking Mylar 
bag, seal in your wet device, and let it rest (for up to 
72 hours) amongst the ultra-absorbent BHEESTIE Molecular Beads. The 
beads physically bond to the device and remove the water—“proven to 
be 700 times more effective than home remedies. ” The bag can last up 
to a year for everyday use or less if used for extreme soaking. For more 
information, check out the BHEESTIE BAG website. 



Figure 1 

Awesome! 
Wait ...what? 


■ Driver Install Error 


The driver package is compatable with your version of windows. 


Figure 2 

But that's what I'm 
trying to do! 


Delete in progress - do not disconnect your device. 

Delete could take several rrhnutes to complete Disconnecting before it 
completes could cause data loss. 


© Send us your funny screenshots, oddball product news, and 
hilarious end-user stories. If we use your submission, you'll 
receive a Windows IT Pro Rubik's Cube. 
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